Debacle of The Maginot Line:Going Deeper into Schneider Modicon PAC Security

To provide an economical way to deliver functional control in the gap between the PLC and the DCS, Schneider offer industrial process automation controllers-Modicon PACs(M580, M340, MC80,etc).Modicon PACs feature redundancy functionality, native Ethernet, embedded cybersecurity,But are these industrial brains, widely used in power, water, and critical infrastructure, really secure?
In this presentation,we will focus on Schneider Modicon PAC controllers and illustrate in two dimensions: Private communication protocol and Password protection mechanism for CPU (Application and Firmware).
l Covering the security issues of the private protocol UMAS used by Modicon PAC, not only the undisciplined authorization process, but also analyzing the security of the encryption protocol in the latest version. We will also discuss how to quickly build your own fuzz program tools to find 0-days based on the UMAS protocol.
l Although Schneider claims to have a password-based security design for its controllers, there are some defects in the protection design, and we will disclose the password protection mechanism of Modicon PAC in detail here. Illustrating how to bypass the password-protected security policy and getting controller access to perform dangerous operations such as Application upload, controller state modifications, and key parameter modifications without authorization.
In addition, we will also demo a novel attack that bypasses the Modicon PAC security protection mechanism to insert a malicious ransomware Application, proving the impact of Modicon PAC flaws should they be exploited. We conclude with defensive strategies and recommendations for this type of attack.