Hacking the Rigol MSO5000 series oscilloscopes

[tv84]

The other is a "upload" function but  it's not set to upload anything that would reveal it's hacked since that is only in appEntry with no file system modifications.

Not everyone patches. 

Code: [Select]

<firmware>http://www.rigol.com/Support/ProductUpgradeFile?sn=%1$hardware=%2$behaviour=%3$software=%4</firmware>
<uploadurl>http://www.rigol.com/up.aspx?act=%1$filename=%2</uploadurl>

That upload-url makes me a bit squeezy.

This is what I was referring as "calling home". It shouldn't be too hard to see, with a well placed breakpoint, what is being sent.

[tv84]

It is self-healing!

To try out some of the latest finding you have discovered, I removed the firewall rule on my router, plug the scope into the network, and tried to recreate the problem.  Guess what, now the scope boots fine with the LAN attached, and rigol.com no longer blocked.

 

Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

Now, you've good for a certain period of time.

(This is a just a feeling...)

[mabl]

Intriguing idea  . Possibly there is some kind of counter for power-ups or time persisted in /rigol/data/stat.dat. Next time I debug this, I'll set a breakpoint and try to trigger that auto-connect.

[tv84]

Intriguing idea  . Possibly there is some kind of counter for power-ups or time persisted in /rigol/data/stat.dat. Next time I debug this, I'll set a breakpoint and try to trigger that auto-connect.

That's all in the FRAM.

Answering your previous thoughts, I think the scope keeps all the status in the FRAM and then (after boot or in any specific periods/events) creates a copy in the NAND of that info in the /data files. Maybe just to ease the "calling home" task.

You can zero the whole FRAM and the scope is able to work (unlicensed).

[Fungus]

Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

What if you never connect it to a network? 

[tv84]

Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

What if you never connect it to a network? 

Of course, that's one solution. Better one is to patch the hyperlinks that try to dump the XML link page and do the upload.

BTW, we also must remember that in the code there is an email client, so the reporting can exist via email. The email address to which it reports can be easily found in the code.

[delfinom]

Let's admit that they keep track of the last date when you reported your scope status. And, from time to time, they require you to report the status. If you don't...

What if you never connect it to a network? 

Of course, that's one solution. Better one is to patch the hyperlinks that try to dump the XML link page and do the upload.

BTW, we also must remember that in the code there is an email client, so the reporting can exist via email. The email address to which it reports can be easily found in the code.

Fun fact about the email function. They hardcoded smtp credentials into appEntry.

[delfinom]

Does Rigol have a security team email? they dun fucked up with their smtp credentials.

You can uh, log into their IBM iNotes instance using them and at minimum send email as rigol.com

You can even see their full internal employee directory.


They do have 4x "IT Operations, Process and Maintenance" addresses, maybe I'll send them a nice email from their own IBM instance 

[mabl]

Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...

[delfinom]

Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...

Are you sure it's not due to your ISP blocking port 25 like mine does?

[Kean]

Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...

Are you sure it's not due to your ISP blocking port 25 like mine does?

Why would they include credentials?  If it is sending email to @rigol.com, then it just needs to connect to the rigol.com MX.
Of course, as you mention they cannot rely on port 25 being open outbound (rarely is these days) so they'd want to use 587 or similar, and I guess their server configuration may then require auth.
In any case, sending email from the scope is just stupid when they could more reliably use a web API for notifications or data exfiltration.

[delfinom]

Oh dear.... I did see the hard coded credentials, but thought nobody was crazy enough to do this. I once even checked the credentials on an older firmware and they did not work for sending mails (maybe the server was down or I made a mistake or they even changed).

Now you get into their company mail server? And see the employee directory? Maybe even see all the old sent emails by that account?

This is where the fun ends. Please contact Rigol as soon as possible.

EDIT: I tried sending them a warning message using their own SMTP server - it did not answer on port 25, which the scope also uses. So as I said before, their mail credentials seems broken. I wonder if this is due to your last message now, or if they removed plain text SMTP...

Are you sure it's not due to your ISP blocking port 25 like mine does?

Why would they include credentials?  If it is sending email to @rigol.com, then it just needs to connect to the rigol.com MX.
Of course, as you mention they cannot rely on port 25 being open outbound (rarely is these days) so they'd want to use 587 or similar, and I guess their server configuration may then require auth.
In any case, sending email from the scope is just stupid when they could more reliably use a web API for notifications or data exfiltration.

They are using the credentials as a smtp relay which is normal. There's a giant list of reasons why nobody sends mail directly to domains these days (i.e. 90% chance the receiving mail server or your ISP or corporate network will block you)
It's just providing their own credentials and their own relay is stupid.
And then doing so by creating an user in their IBM Notes instance without blocking the user from login is extra icing on the cake.


Their intention is to allow users to enter in their own SMTP settings such as a corporate network relay or personal service like gmail. But yea they screwed up.

This is where the fun ends. Please contact Rigol as soon as possible.

Well I sent an email to their IT groups internally via the account.....hopefully they understand english..... 

Otherwise it's not like they have a security email address for such reports.

[Kean]

They are using the credentials as a smtp relay which is normal. There's a giant list of reasons why nobody sends mail directly to domains these days (i.e. 90% chance the receiving mail server or your ISP or corporate network will block you)

Yes, the fact it will likely be blocked, even if using a non-standard SMTP port, is why this whole thing is bonkers.
The fact that they then included credentials that can be used to do more than sending emails to their domain, just shows they shouldn't be writing networking code, or probably any embedded applications.

Please update us if you hear back from them.  If you don't hear that they've closed up the security hole in a pretty short time, then this should be reported to a security researcher to name & shame them.  e.g Brian Krebs or Troy Hunt.

[delfinom]

They are using the credentials as a smtp relay which is normal. There's a giant list of reasons why nobody sends mail directly to domains these days (i.e. 90% chance the receiving mail server or your ISP or corporate network will block you)

Yes, the fact it will likely be blocked, even if using a non-standard SMTP port, is why this whole thing is bonkers.
The fact that they then included credentials that can be used to do more than sending emails to their domain, just shows they shouldn't be writing networking code, or probably any embedded applications.

Please update us if you hear back from them.  If you don't hear that they've closed up the security hole in a pretty short time, then this should be reported to a security researcher to name & shame them.  e.g Brian Krebs or Troy Hunt.

Meh, you are making it out to worse than it is. Shit I've seen worse at major defense contractors and the stories I could tell.

Is it bad? Yes.
But does it mean they shouldn't be writing networking code or embedded applications? Hah

[Kean]

Meh, you are making it worse than it is. Shit I've seen worse at major defense contractors and the stories I could tell.

Possibly, but they've just compromised their own email server.  Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.

These scopes connect to external web servers via http (not https, so no encryption and no way to validate certificate to ensure there isn't a MITM attack), and then writes downloaded data to the filesystem.  I wouldn't be surprised if there was a serious vulnerability there that allowed malicious code to be injected and run on the scope, and not just via the firmware update process.

Is it bad? Yes.
But does it mean they shouldn't be writing networking code or embedded applications? Hah

The fact that a lot worse happens elsewhere doesn't mimimise how bad this is.

Of course... if it wasn't for these same developers this thread wouldn't exist at all.  And Rigol would be selling a lot less of their latest scopes.

[Mr. Scram]

Maybe Keysight is willing to pay a pretty penny for some Rigol company secrets they can dig up with those credentials.    Making vulnerable firmware on purpose is one thing but this doesn't look like being done on purpose at all.

[delfinom]

Meh, you are making it worse than it is. Shit I've seen worse at major defense contractors and the stories I could tell.

Possibly, but they've just compromised their own email server.  Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.

These scopes connect to external web servers via http (not https, so no encryption and no way to validate certificate to ensure there isn't a MITM attack), and then writes downloaded data to the filesystem.  I wouldn't be surprised if there was a serious vulnerability there that allowed malicious code to be injected and run on the scope, and not just via the firmware update process.

Is it bad? Yes.
But does it mean they shouldn't be writing networking code or embedded applications? Hah

The fact that a lot worse happens elsewhere doesn't mimimise how bad this is.

Of course... if it wasn't for these same developers this thread wouldn't exist at all.  And Rigol would be selling a lot less of their latest scopes.

Why are you concerned about it being a vulnerability? It's a feature. 
The literal design of the download mechanism is download via http and just applying the gel file. And uh, you can see we can generate our own gel files by hand pretty easily.
So you could inject the malicious code yourself if you wanted to via a MITM easily over http.

But uh, I'll take my $1k scope that's worth far more since being patched and sit in the corner hugging it

Possibly, but they've just compromised their own email server.  Think about that, and then what concerns there might be in putting this scope on an engineering network in a large corporation or university.

I still like relative comparisons. Why?
Because I'm seen so much shit in different industries that everything is fucking terrible to the point you can't escape it, there's just different levels of terrible. You can only work to compartmentalize your network and security to minimize damage when shit goes wrong. Shit, even my home network is running 5 VLANs with 2 dedicated just for IoT devices.

So I rank the scopes with some poor security decisions as less than say, the backdoored Cisco hardware those large corps or univerisities are most likely running

[nimish]

Anyone allowing this thing to connect to external networks is a fool.

[NoisyBoy]

That's why mine is only going on a physically isolated network if remote control is required, there's really no reason for it to ever go on the Internet.  I will make all firmware update manually through an USB Drive, especially given how infrequent they come out.

[delfinom]

It appears they disabled the account and no longer works to login via iNotes and SMTP. No reply to me, I assume there was some internal yelling after I CCed 4x internal IT distribution groups on my "you dun fucked up" email.

You know what's interesting digging further (and avoiding the temptation to anally probe some infrastructure), for a Chinese company they sure like to escape the great firewall by using an email provider who proceeds to host all their infrastructure on DigitalOcean (which has no Chinese datacenters).

[Kean]

Dave tweeted about it, so the word has got out 

Glad they closed the hole so quickly.

[delfinom]

Dave tweeted about it, so the word has got out 

Glad they closed the hole so quickly.

They fixed it way before the tweet

[Shodge]

Hey, just a shout out of thanks to the following:
mabl, tv84, delfinom,piskers and oliv3r.... and others I missed for the information on how to hack the appEntry.  With the data and a good dissembler you can re-create the earlier hacks as discribed on the lastest firmware. (or use delfinom's patch file)...

Again - my thanks for your efforts...
-Stan

[borjam]

I think its pretty certain that the scope phones home everytime it can.

One thing it does in that phone call, i think, is to send a RSA encrypted pack that contains some relevant data from the /data dir. Personal data: keys, licenses,etc

If someone wants to put a wireshark to work we can verify this info.

Mabl, no pissing contest here, but i released the SCPI commands in the general Rigol all SCPI commands thread. I'll try and check with yours.

Curious. At least I haven't observed anything of the sort with a DS1000Z, SDS1202X-E nor a SVA1015X (and I keep a year worth of Netflow data for my home network).

Phoning home would be quite rude.

[tv84]

Phoning home would be quite rude.

I raised this question from the very beginning.

https://www.eevblog.com/forum/testgear/hacking-the-rigol-mso5000-series-oscilloscopes/msg2073469/#msg2073469

At the time few people had the scope so the matter went to sleep.

Then I just saw the email thing, later I saw the RSA package upload....

When people started reporting the "bug" of the delays in booting up when connected to the net, I immediately started thinking that it was a "feature" and not a "bug". I confess that I never investigated thoroughly... It was just a hunch until a few days ago.

I hate something like this and specially when it's done by the same guys who are able to create the SMTP vulnerabilities that we saw in the last few days...

Deeply worrisome!!

I've done plenty of assembly analysis on all those equipments and never saw this in any of them.

This is a thing that I think can be seen in the new Rigol line of equipments: MSO5000,7000 and for sure the 8000. I think it's also in the RSA3000/5000 (but this one I would need to recheck).