KACO Power Inverter System XP100U Based on dog Wang Embedded analysis

Source: Internet
Author: User

KACO Power Inverter System XP100U Based on dog Wang Embedded analysis

0x00 Preface

First of all, I would like to thank Bing Ge for his guidance and encouragement. currently, smart Iot devices are booming. Many merchants and developers only provide quick graph functions, while ignoring the corresponding security solutions. at the same time, many traditional industrial equipment, due to the addition of network modules, lack of security awareness, resulting in these devices are exposed to the public network. this opens the door for attackers. this article will take the power inverter system produced by KACO new energy company as an example to share with you how unsafe design will affect the industrial control system.

KACO New Energy Company is located in Germany, focusing on the production and design of power-related industrial control systems. it is said that its customers are all over the world. however, on DEFCON 23 in 2015, a backdoor exists in the XP100U product of the power inverter system.

During the study, we can find that the problem of this product is not just that. Next, let's take a tour of industrial control equipment.

0x01 backdoor of the classic system

KACO's power inverter system comes with a small WEB Service written in Java for remote login to monitor various data indicators.

We can learn from the operation manual that the system has a default password ksk12. after successful login, we can perform a series of data collection and other operations.

After viewing the Page code, we can find a file named wms. jar. here we can use JAVA decompile software to view its source code.

Simply search for the password keyword, we can easily find the backdoor password "kacosolar2008" under WMSSettings ".

Interestingly, the password cannot be modified since then. As shown in the following code, the entire backdoor authentication process is simply compared with the AdminPassword set in WMSSettings locally.

It's so easy and pleasant to look at the whole backdoor restoration process, but it's even more interesting...

0x02 anti-leech Design

After learning about the backdoor account of the classic backdoor system above. through Wireshark packet capture analysis, we can also find an interesting authentication design for this system. we have mentioned that the default password is ksk12. under normal circumstances, you can change it to a custom password, and the entire process is transmitted in plaintext. yes, we can get the password through simple sniffing. but what's special? Don't worry about the drama .....

Here we will first look at the entire login process. after we press the Login key, the first package sent by the client contains the words "aci_request_code type = 'int'> 31 <. so what does 31 mean?

By looking for the Java source code, we know that type 31 is used to get the current password from the server. That is to say, each authentication, the system will send the current password back in plaintext...

The most incredible thing is that even if you enter an incorrect password, an error box appears, but the system still returns the correct password in plaintext. Haha! In other words, we don't need to worry about Reverse source code. The system has already told the world the password.

0x03 hunt for XP100U

After talking about so many things, you can't wait to find a KACO server to try it out. here we can use the search engine to help complete this task. as shown in SHODAN, we can easily find several KACO inverters exposed to the public network.

Note that the default port number of the system is 80. You can try several common ports during the test.

Interestingly, there is still a network monitor system in a KACO power inverter website (thanks to Z-One for providing clues ). if you are interested, you can continue to explore it in depth. but do not destroy it.: D

0x04 Summary

Through this case, we can find that there are very few vulnerabilities in traditional system security. such as HTTP plaintext transmission, default passwords, system backdoors, and so on are still very common in Industrial Control embedded systems. however, the hidden risks are enormous. embedded systems often face the difficulty of upgrading once they are put into the product line. maybe product designers should find a balance point in the usability vs security at the initial stage. however, for security enthusiasts themselves, industrial control embedded is a very interesting and profound field. we look forward to seeing more things.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.