Defeating VLAN's to access OT networks.
Andre Froneman
OT Solutions Specialist - | CompTIA Security, Cloud & Pentest+ Certified | Hard Hatter of OT Cybersecurity
Understanding and Mitigating Risks in IoT Security
In today's interconnected industrial environments, Operational Technology (OT) networks are increasingly at risk due to vulnerabilities in their network segmentation practices. One of the more sophisticated threats is VLAN hopping, where attackers bypass network segmentation to access sensitive OT systems. Here, we explore how this technique, along with exploiting default credentials on IoT devices like CCTV cameras, can lead to significant breaches.
The Basics of VLAN Hopping:
Exploiting Default Passwords in IOT devices to get to the switch running the VLAN.
Why Target OT Networks?
Understanding VLAN Hopping
VLAN Hopping is a network attack where an attacker gains access to traffic on VLANs different from the one they are supposed to be limited to. Here are the primary methods:
Double Tagging:
Scenario: In an industrial setting, a switch could be configured where VLAN 1 is the native VLAN for trunk ports, used for management traffic or IoT devices like sensors or cameras.
Execution: An attacker, perhaps through a compromised IoT device, crafts a packet with two 802.1Q tags. The outer tag belongs to the attacker's VLAN, and the inner tag targets the victim's VLAN. This frame, when sent, has the outer tag removed by the first switch, believing it's the native VLAN tag. The inner tag then allows the frame to be forwarded to the victim's VLAN.
Requirements: The attacker must be in the same native VLAN as the trunk link. The attack works if the victim's VLAN traffic goes through a different switch.
Switch Spoofing:
Scenario: An attacker might connect a rogue device to an industrial network, often where there's less stringent access control, like in BMS or CCTV networks.
Execution: The attacker's device emulates a trunk port by sending Dynamic Trunking Protocol (DTP) messages or by manually configuring the port to trunk mode.Once the trunk is established, the attacker can tag packets with any VLAN ID, accessing or intercepting traffic from various VLANs intended for separation.
Requirements: Physical or logical access to the network to spoof a switch. Misconfigured switch ports that default to negotiate trunking automatically.
Exploitation Steps:
Reconnaissance: Identify the network topology, VLAN assignments, and potential entry points. Tools like nmap for port scanning or ARP-SCAN for device discovery are useful here.
Initial Access: Use default credentials on vulnerable IoT devices to gain initial network access.
VLAN Hopping:For double tagging: Identify the native VLAN and craft frames with dual tags.For switch spoofing: Set up a rogue switch or device configured to negotiate trunking with the legitimate switch.
Lateral Movement: Once in a more privileged VLAN, use this position to access or manipulate other industrial systems. This might involve: Sniffing traffic for credentials or proprietary information. Modifying control data sent to PLCs or BMS systems for sabotage.
Persistence: Maintain access by installing backdoors or manipulating network settings to keep a foothold.
Application in Industrial Networking:
Target Devices:
CCTV Cameras: Often connected to VLANs for surveillance, these can be entry points if using default credentials or lacking strong authentication. This also applies to thermal condition monitoring cameras, PPE detection and stock picking inventory cameras. Searching for Industrial tags using Insecam will give you all the CCTV cameras that are using default username and password's in factories anywhere on the planet : https://www.insecam.org/en/bytag/Industrial/ You can also use Censys, Shodan, Zoomeye, Fofa and BinaryEdge to do the same.
BMS Controllers: These manage HVAC, lighting, etc., and might be neglected in terms of network security updates or configurations. Hacking Building Management Systems is much easier than it should be, I have written a deep dive into hacking BACNET : https://www.dhirubhai.net/pulse/bacnet-threat-andre-froneman-5gcsf/?trackingId=dCBgTnRbRpOBK2b08jzoaw%3D%3D
Access Control Systems: If these are networked, they could be pivotal for physical security breaches if compromised. you can search "access control" using www.shodan.io and look for exposed Access Control systems.
Shopfloor Smart Tools: These include IoT-enabled tools that might communicate diagnostic, usage, or maintenance data back to a central system. If these tools are on the same VLAN as more critical systems without proper isolation, they could be exploited for lateral movement.
Shopfloor Printers and Scanners: Often used for printing labels, work orders, or scanning barcodes. These devices might not have the latest security patches or might use outdated firmware, making them exploitable for VLAN hopping if they can be made to act as a bridge between different network segments.
Factory Smart TVs: Used for displaying real-time data, KPIs, or safety notices. If these devices have internet access or are part of the broader network, they could be entry points for malware distribution or phishing attacks aimed at the plant's personnel. EvilScreen attacks on most smart TV's are becoming easier. Some details on this can be found here : https://ieeexplore.ieee.org/document/10151901 https://sites.google.com/view/evilscreen
Security Measures to Prevent Such Exploits:
Conclusion: While VLAN hopping and default password vulnerabilities are significant threats, they are preventable with diligent cybersecurity practices. OT environments must prioritize security in IoT device deployment, emphasizing network segmentation integrity and access control.
Stay Vigilant: By understanding these vulnerabilities and implementing countermeasures, businesses can protect their critical infrastructure from cyber threats, ensuring that their innovations and operations remain secure.
About the Author: Andre Froneman, an OT Solutions Specialist with certifications in CompTIA Security+, Cloud+, and Pentest+, specializes in safeguarding industrial environments from cyber threats, leveraging years of experience to educate and protect.
Thanks for the shoutout, Andre!