DEF CON 2019: Delta ICS Flaw Allows Total Industrial Takeover

A serious vulnerability in a commonly used Delta industrial control system has been found that could allow malicious actors on the same network complete control of the operating system.

The Delta enteliBUS Manager centralizes control for various pieces of hardware often found in corporate or industrial settings. Taking it over could have plenty of repercussions, such as enabling remote manipulation of access control systems, boiler rooms, alarms and sensors in a factory, temperature control for critical systems or lighting in a business.

The bug in the system (CVE-2019-9569) was caused by a buffer-overflow vulnerability, i.e. a mismatch in the memory sizes used to handle incoming network data, according to researchers from McAfee.

“Worse still, the attack uses what is known as broadcast traffic, meaning they can launch the attack without knowing the location of the targets on the network,” explained Mark Bereza, security researcher at McAfee, in research released at DEF CON 2019 on Friday. “The result is a twisted version of Marco Polo – the hacker needs only shout ‘Marco!’ into the darkness and wait for the unsuspecting targets to shout ‘Polo!’ in response.”

To cause trouble in industrial or enterprise environments, taking over the OS of the enteliBUS Manager is not enough. One would also need to gain access to the systems that it controls.

The team had a certified technician program the controller to interface with an HVAC system, in order to carry out a replay attack.

“If we wanted to determine how to tell the device to flip a switch, we would first observe the device flipping the switch in the ‘normal’ way and try to track down what code had to run for that to happen,” Bereza explained. “Next, we would try to recreate those conditions by running that code manually, thus replaying the previously observed event. This strategy proved effective in granting us control over every category of device the eBMGR supports.”

The team then created a custom piece of malware to create a backdoor which would allow the attacker to remotely issue commands to the manager and control any hardware connected to it.

“To make matters worse, if the attacker knows the IP address of the device ahead of time, this exploit can be performed over the internet, increasing its impact exponentially,” Bereza said.

Delta Controls has issued a patch, which should be applied quickly. Bereza said that a Shodan search indicated that 1,600 vulnerable systems remain exposed to the internet.

_Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, _click here.