Choo Choo Pwn Surprised Koreans and Helped Find a Zero-Day Vulnerability
11/15/2013
Experts from among the PHDays organizers brought the railway competition Choo Choo Pwn to Power of Community 2013, a friendly (and the largest in East Asia) information security conference held in Seoul. They spoke about new attacks against SCADA and invited the winners of Power of XX, CTF for women only, to PHDays 2014.
It's worth reminding that Choo Choo Pwn had been developed specially for Positive Hack Days III and had been held there for the first time. The Choo Choo Pwn stand created in the Positive Technologies laboratory is an up-to-date railway model, which elements from trains to railroad crossing gates and traffic lights are controlled by an ICS based on three SCADA systems.
The contest was so popular at PHDays III that its developers started touring industry events soon demonstrating ICS security flaws during master classes and hacking competitions. Jumping ahead a bit, it's worth saying that "Choocha", as the organizers call this competition, experiences a new birth before PHDays 2014 and it will be significantly upgraded and improved.
Following the level of high-speed vehicle implementation in South Korea (KTX, Hyundai) and industry growth in the region as a whole, any issues of ICS security are considered more than seriously in the republic, so Choo Choo Pwn became one of the most remarkable events of POC’13.
The contest participants from different countries needed to access the model of the railroad and cargo re-loading control system by exploiting vulnerable industrial protocols and bypassing authentication of SCADA and industrial equipment web interfaces. With access to ICS, HMI or controllers obtained, the participants needed to disable separate model parts or hijack targeted systems. It was also required to disable surveillance cameras.
More than 30 IS specialists tried to hack the Choo Choo Pwn model. Several people at once won this contest. Lim Jung Won, Hee-chan Lee and Eun-chang Lee detected flaws in Modbus and obtained control over the loading crane, for which Siemens software (Simatic WinCC flexible 2008) and ICP DAS (a remote I/O unit) were used. At the same time, Grace Kim, Jenny Kim and Chin Bin In managed to access the railroad control system having detected and exploited security flaws of Siemens WinCC 7 SP2 and SIMATIC S7-1200 (S7 protocol).
Jonas Zaddach, who exploited a zero-day vulnerability in S7-1200 PLC for the DoS attack, and his colleague Lucian Cojocar, who found this vulnerability, received special rewards. It is worth pointing out Jenny Kim, the only lady among the winners who astonished everyone by her determination and persistence. Lim Jung Won was the first to puzzle out Modbus and to write a semiautomated script controlling the loading crane.
Girls Only
Power of Community traditionally holds the most extraordinary CTF competition: The Land of the Morning Calm has presented the world with Power of XX, a CTF game for women only.
You will be able to meet the best players, the members of the team SecurityFirst from Soonchunhyang University (Kim Aae-sol, Kim Ji-young, Kim Hak-soo, Park Sae-yan, Park Jeong-min), in Russia in May 2014 — the Seoul CTF winners are enrolled on PHDays CTF 2014 directly beyond the qualification round.