Another Piece of the Stuxnet Puzzle

We can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran. Watch this new video presentation from Ralph Langner, the researcher who has done the most work on Stuxnet. It's a long clip, but the good stuff is between 21:00 and 29:00. The pictures he's referring to are still up.

My previous writings on Stuxnet.

Posted on February 23, 2012 at 12:29 PM • 25 Comments

Comments

VANDECASTEEL JURGEN February 23, 2012 1:39 PM

I HOPE THE PEOPLE WHO WORK WITH STUXNET BEGIN TO REALIZE THaT THIS IS NOT A TIME TO PLAY WITH STUXNET TOO MUCH NUCLEAR FACILITIES

MiramonFebruary 23, 2012 1:43 PM

Is it just me, or does anyone else feel that one lowercase 'a' in Jurgen's comment is somehow highly significant? We must go deeper....

DanielFebruary 23, 2012 1:51 PM

*mind boggles*. I rarely use the word brilliant anymore but that is brilliant detective work.

keithFebruary 23, 2012 3:05 PM

Brilliant stuff. Okay, what I don't get, they went to so much trouble to introduce subtle faults rather than a one-off attack on Natanz, but then put it in a worm that anyone could analyse.

Oh, someone is asking that question right now at 52 minutes, haha! "Guys, this was not cool, this was too easy."

So yeah, that seems odd to me.

Terry A. DavisFebruary 23, 2012 3:13 PM

If the CIA says it's so, it's so, I guess unless God objects. He's mostly a pussy.

God says, "deepness treasury upliftest eyes bosom descent travailing
engaged boughs stages lettest recently mainly rehearse
stung displayed Mammon towards obedience instantly immoderate
without resurrection contentiousness seat candle seed
Am unskilfulness stripes sips thanksgivings adulteress
bright adulterous shine sparedst magnified hallowed queen
wisely calf burthened exhort consecrated gone broad looker
witting prescripts "

SparkyGSXFebruary 23, 2012 4:42 PM

@Keith: I think there are several possible explanations; maybe they just didn't have any other way to get the code in the target controller.

On the other hand, maybe they thought nobody would figure out what the target was, or at least not in time for the worm to do its word. I think it's safe to say this research is largely irrelevant to the attackers, as Stuxnet was first detected some 20 months ago.


What surprises me most, is that the worm was ever linked to the Iranian nuclear facility in the first place; It's not clear to me what led anyone to suspect this was the case.


It is quite obvious the makers of Stuxnet had enormous resources; 4 zero-day vulnerabilities, 2 fake certificates, and a whole lot to time, to start with. But besides all that, they clearly had very detailed knowledge of the Iranian facility, and most certainly complete designs and code for the control system.


I'd say the whole thing seems damn-near impossible to put together, but somehow they did, and one could argue where at least moderately successful at sabotaging the Iranian nuclear program.

Clive RobinsonFebruary 23, 2012 5:36 PM

@ Keith,

So yeah, that seems odd to me

Because you like most others are assuming Iran was the primary target, not the stepping stone.

If you look back through the original threads you will find that both Nick P and myself had doubts about the supposed original target (the Russian nuclear reactor). My reasoning was that knowledge of the specifics of the nuclear reactor plant would require very detailed inside knowledge which would suggest that it would be easier to get at a person on the ground one way or another.

Nick assumed as I did that the target had to be known in some way, and the centrifuge was well known because it had originated via a Swiss company (Khan Ind/labs) from the "father of Pakistan's nuclear industry" A. Q. Khan.

Now I did some further thinking, Khan was known to have approached a number of countries including Libya and North Korea, who were both known to have purchased the type 1 centrifuges. The engineering prototypes being sent to Libya were impounded and thus very very fully spec'd out by various interested parties, so were "very much known". One part of the system the motor controler was a specialised part only available from one or to suppliers, one of which was effectivly under export control, so finding either controler was a bit of a give away.

My thinking went even further, as Khan had effectivly been taken out of the loop this would mean that the two main customers of the Khan technology Iran and North Korea only had each other to talk to and it was known that scientists from both countries met on a regular basis.

As far as the US was and is concerned the major worry was N.Korea simply because they had not only a viable delivery system it was well proven (nukes on their own are fairly useless). But N.Korea is possibly the most closed country in the world the chance of directly getting at their very active nuke program was about as close to zero as you can get.

So the "bridge head" in for an indirect attack would be the Iranian nuclear scientists via data sharing on USB key etc.

Now if you search back a year or two prior to Stuxnets discovery you will find posting from me about "air gap" crossing malware to get at voting machines via the repair technicians etc. So I'd effectivly written the play book for any competent programer to follow.

I still think, and I'm fairly sure the N.Koreans definatly think they were the intended target and that Iran was the "back door".

Unfortunatly for the US the N.Koreans had moved the technology on considerably, and rather pointedly proved the point to the International Inspectors they invited in to see their new more efficient cascade of a few thousand centrifuges, and gave them fairly free access EXCEPT to the control area which they made very definatly sure was not just off limits but unavailable in all ways.

So have a rethink about your concerns in the light of "Iran was a stepping stone to N.Korea" and see if it makes more sense to you.

SparkyGSXFebruary 23, 2012 5:44 PM

I just wanted to add something in responds to some of the questions at the end of the video (yes, I did actually watch it completely).

Even though the decompiled code (STL, statement list) looks somewhat like ASM, it actually isn't machine code, it's still interpreted. Absent some buffer overflow or other vulnerability in the interpreter, it's not directly possible to manipulate the raw memory image in the controller, outside the memory that was allocated for the PLC program in the first place.

One of the commenters said that, for some applications, it was vital that the process image would be writable (which I strongly disagree with; that's just bad practice), one could argue that the same could be said for being able to execute data memory on the x86 platform. Indeed, some applications (mostly games, I think) actually used run-time self-modifying code. However, it is still generally considered bad practice, and removing that freedom from the programmers was acceptable to make buffer overflow vulnerabilities much more difficult.

Of course, adoption of No-eXecute protection has been very slow, some variants have been broken, and some operating systems leave it up to the application programmer to properly setup the protection, but it's a start.

What I blame Siemens for mostly, is their complete lack of attention to security; they have always recommended NOT to change default passwords on devices, and still do, because some of their own crap wouldn't work anymore. They don't protect the integrity of the code in a controller, they don't use any kind of cryptographic signatures on the code that I think they should, and they generally just don't seem to care.

SparkyGSXFebruary 23, 2012 6:10 PM

@Clive: you make an interesting point; maybe the Natanz facility wasn't the primary target after all. It would seem unlikely to me that attacking the Natanz facility was a test, because the North-Koreans would have been allerted. It would seem plausible that the North-Korean facilities shared the design and control code with the Iranian facility.

Just maybe the North-Korean facilities were also affected, and they just don't acknowledge it.


I only just realized how the researchers figured out it was a possible attack against a nuclear facility; it required the use of a very specific type of high-speed frequency inverter, which are rarely used for other purposes, and fall under international export control regulations.


It seems Stuxnet changes the frequency setpoints of the controllers, to rapidly speed up and then quickly come to a nearly complete stop, after they have been running for quite a long time. While I don't know the first thing about these centrifuges, I'd think this would cause the contents to swirl and mix, thus ruining the separation achieved.

DanielFebruary 23, 2012 6:28 PM

I don't think the writers of Stuxnet in any way anticipated it being deconstructed in public the way it has been. Given the way the program was written to wear out the motors it was unlikely the controller would ever be suspected by the maintenance personnel. And, in fact, it wasn't. It was more bad luck than anything else that Stuxnet ever even came to light. It's also dubious that even if Iran had discovered it on-site that they have the expertise to deconstruct it with the expertise that Ralph displays.

"Because you like most others are assuming Iran was the primary target, not the stepping stone."

I'm sorry Clive but this thesis is a non-starter in light of his presentation. While it certainly isn't proof beyond any doubt the slew of evidence he presents meets a "preponderance of the evidence" standard. If you are going to argue that N.Korea was the real target you need to offer some hard data. Ralph convinced me.

GrantFebruary 23, 2012 7:51 PM

@ Daniel

> It's also dubious that even if Iran had discovered it on-site that they have the expertise to deconstruct it.

I've worked in Australia with Iranian technicians and scientists that were trained in Iran and left the country. Their ability to develop new instrumentation for geophysical applications and to reverse engineer existing binaries is as good as anyone's that I've worked with over the past few decades. While the people I've worked with chose to leave Iran, they have spoken of friends and relatives with similar skill levels who have elected to stay there.

There are smart people everywhere and the OCD level focus to dissect code is a rare skill but not one constrained by borders. There are 7,000 people with that 1 in a million skillset.

ChuckFebruary 23, 2012 10:59 PM

I watched that entire hour-long presentation video waiting for Langner to say something intelligent... anything at all. It never happened. He never told us anything about how the attack features worked. It was painfully obvious that Langner is an amateur programmer at best. The details that excited him were so inconsequentially trivial as to be not worth speaking about. Langner has succeeded in attracting media attention to the Stuxnet story, but delivered nothing but self aggrandizing and mostly baseless hype. I want more, but I despair of it ever coming from Langner.

Clive RobinsonFebruary 24, 2012 6:19 AM

@ Will,

off topic but everyone has to see this

Yes it is good news (if it's not overturned on appeal by SCOTUS).

All so in our own interest, perhaps we should stop using the old crypto analagy of a physical key and lock, and as was pointed out switch to the analagy of a non physical "combination" for the crypto key.

As for the "empty vault" argument, I feel the argument is correct. LEA's need to show reasonable suspicion etc to get a warrant to enter a building, let alone a vault inside a building.

Further the "plain sight" argument needs to be shot down once and for all, if files are on a hard disk on a system that is sufficiently issolated from publicly accessable networks then they are not on public display, therefor they are not in "cplain sight". People in the US should "have a reasonable expectation of privacy" "about their persons and papers" and not have such rights thrown out of the window by a smart mouthed shill working for the Government making what amounts to false accusations.

Oh and perhaps if in future the LEA's make such accusations and they are found to be false, then either the LEA legal representative in court making the claim or the most senior person either instructing them or paying them should do six years or whatever the maximum is for "false allegation" or "perjury" in the US, without hope of parole. Just to remind them and others that the State has responsabilities to the citizens just as citizens have responsabilities to the State, and that individuals representing the State should not use the over ridding position of the state to prevent fair and reasonable access to justice by individual citizens.

Sadly it's not likley to happen, so there is unlikley to be a way to clip the wings of the vultures paid for by the citizens, and prevent their excesses. Effectivly they are gambling with other peoples money and have nothing to lose.

OnTheWaterfrontFebruary 24, 2012 10:17 AM

Input block images are read/write for a very important reason. When a non essential input device goes bad and you don't have time or parts to replace it and you can't afford downtime you can simply force (or override) the bit or byte.

AgateFebruary 24, 2012 11:04 AM

@OnTheWaterfront: That's an important reason, but it's not a *good* reason. To paraphrase Ben Franklin, those who would trade essential security for a little temporary convenience deserve neither.

As the speaker points out, we're dealing with the question of whether your code is actually interacting with reality or not. If it's not, you're wasting your time.

OnTheWaterfrontFebruary 24, 2012 11:42 AM

@Agate
Every control system I know of (GE, Siemens, ABB, TAC, Andover, AAM) provides this feature, its essential. Nobody would buy a system without this feature. You wouldn't even be able to perform maintenance on most systems without a complete shutdown without this feature. Its also how most offline testing of logic is performed on these systems.

DanielFebruary 24, 2012 2:44 PM

@grant.

A great example of how selectively quoting a person can make them say what they never said. If you wish to take the gist of my comment to demeaning to the intelligence of Iranians, you can. But a careful, complete, and fair reading of my comment indicates I meant no such thing.

AntonFebruary 25, 2012 10:51 PM

I agree with Bruce. This is an important part of the puzzle and indicates that we should be worried.

You can't just assume our control systems in the west are not vulnerable to this kind of attack and that those who would want to use it, don't have the know how and resources needed to do so.

Clive RobinsonFebruary 26, 2012 1:20 PM

@ Anton,

You can't just assume our control systems in the west are not vulnerable to this kind of attack

I've always assumed from practical experiance that they offer less security than wet tissue paper on a stormy night.

Realisticaly none of the Industrial Control or petro chem platform systems I've worked on or had anything to do with had security in the specification let alone anyone actually thinking about it. Most times we crossed our fingers that the dam things would work long enought to get through the Factory Acceptance Test without a hitch first time...

Even now the security is like "Camembert Chease" it has the illusion of a crusty exterior, but yields easily and has little substance and a big stink within...

SparkyGSXFebruary 27, 2012 3:28 PM

I'm rather surprised nobody (including myself) thought of this before:

WHY did the SCADA system have unprotected write-access to the code space of the PLC in the first place?!?

Shouldn't that have been password protected, or only accessible through another port on the PLC (ethernet, RS232, RS485, etc.)?

How can it be that systems the generally control things much more dangerous that the average home PC have no security whatsoever? Compared to these PLC's, any version of windows without any patches, firewalls, etc. is still a fortress.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..