Full Report
In the past years, the problem of vulnerabilities in industrial automation systems has been becoming increasingly important. The fact that industrial control systems have been developing in parallel with IT systems, relatively independently and often without regard for modern secure coding practices is probably the main source of ICS security problems.
Analysis Summary
# Research: A Silver Bullet for the Attacker: A Study into the Security of Hardware License Tokens
## Metadata
- **Authors:** Kaspersky ICS CERT (Vladimir Dashchenko, Sergey Temnikov, Dmitry Sklyar)
- **Institution:** Kaspersky Lab
- **Publication:** Kaspersky ICS CERT Technical Report
- **Date:** January 22, 2018
## Abstract
This research investigates the security posture of hardware license tokens (dongles) used extensively in Industrial Control Systems (ICS) and automation environments. The study reveals that while these devices are intended to protect intellectual property and prevent unauthorized software use, they often introduce critical vulnerabilities. The researchers demonstrate how these "security" devices can be exploited to gain remote code execution (RCE) and facilitate lateral movement within highly sensitive industrial networks.
## Research Objective
The research aims to address whether hardware license tokens, widely trusted in the ICS sector, meet modern security standards. It specifically explores whether the drivers and management software associated with these tokens increase the attack surface of critical infrastructure.
## Methodology
### Approach
The researchers employed a combination of reverse engineering, fuzzing, and manual vulnerability analysis focusing on both the hardware communication protocols and the software stacks (drivers and web consoles) provided by major vendors.
### Dataset/Environment
The study focused on prominent hardware licensing solutions common in industrial automation, specifically:
- **Sentinel LDK** (by Gemalto/SafeNet)
- **HASP HL**
- **Wibu-Systems CodeMeter** (referenced in the context of ICS software integration)
### Tools & Technologies
- **Static Analysis:** IDA Pro for binary reverse engineering.
- **Dynamic Analysis:** OllyDbg and x64dbg.
- **Network Analysis:** Wireshark for intercepting communication between the software and the token.
- **Fuzzing:** Custom scripts to test API and driver robustness.
## Key Findings
### Primary Results
1. **Critical Infrastructure Weakness:** Many tokens automatically install a web-based management interface that listens on all network interfaces by default (e.g., Port 1947).
2. **Remote Code Execution:** Significant vulnerabilities (including buffer overflows) were discovered in the driver software, allowing attackers to execute arbitrary code with SYSTEM privileges.
3. **Denial of Service:** Vulnerabilities were found that allow an attacker to remotely crash the license service, effectively halting the industrial software that relies on it.
### Supporting Evidence
- Identification of **CVE-2017-11485, CVE-2017-11486, and CVE-2017-11487** within the Gemalto Sentinel LDK.
- Evidence that the vulnerabilities could be exploited via a simple HTTP request to the management console's API, bypassing firewalls if the port is exposed.
### Novel Contributions
- Shifting the narrative from "tokens as protection" to "tokens as a vector for supply chain attacks."
- Demonstrating that the "parallel development" of ICS and IT has resulted in a legacy of insecure coding practices in third-party licensing components.
## Technical Details
The most severe vulnerability involved a **heap overflow** in the administrative web interface of the Sentinel LDK. Because the `hasplms.exe` service (License Manager) runs with SYSTEM privileges to communicate with hardware drivers, an unauthenticated attacker could send a specially crafted packet to port 1947. This packet would overwrite memory structures, allowing the attacker to redirect the control flow and execute shellcode. This is particularly dangerous as the service is often white-listed by antivirus and EDR solutions due to its "essential" nature for software functionality.
## Practical Implications
### For Security Practitioners
- Recognize that hardware dongles are not "set and forget" devices; they are active network nodes that require patching and monitoring.
- Audit all ICS workstations for the presence of port 1947 or similar licensing ports.
### For Defenders
- **Isolate Management Interfaces:** Use host-based firewalls to restrict access to port 1947 to localhost only, unless remote licensing is strictly required.
- **Update Drivers:** Ensure that "Driver Packages" are updated independently of the industrial software, as OEMs often package outdated, vulnerable versions.
### For Researchers
- Investigate other third-party libraries (e.g., communication stacks, logging utilities) integrated into ICS software that may share similar "blind spot" characteristics.
## Limitations
- The research focused heavily on the Gemalto/SafeNet ecosystem, though it suggests systemic issues across the industry.
- The study does not cover the physical side-channel attacks on the hardware chips themselves, focusing instead on the software/network interface.
## Comparison to Prior Work
Traditional ICS security research often focuses on PLC logic or proprietary industrial protocols (Modbus, S7). This work differs by highlighting the **licensing middleware**—a ubiquitous but often ignored layer of the ICS software stack—as a primary high-risk entry point.
## Real-world Applications
- **Vulnerability Management:** Incorporation of license manager versions into Asset Inventory scans.
- **Network Segmentation:** Validating that licensing traffic cannot traverse between the corporate and production (Purdue Model Level 3/2) zones.
## Future Work
- Analysis of cloud-based licensing shifts in ICS and whether the transition to "Software-as-a-Service" licensing removes or merely transforms these risks.
- Research into the "Dependency Hell" of ICS software, where one vulnerable driver affects hundreds of different industrial products from various vendors.
## References
- Kaspersky ICS CERT Report (Defanged): hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/01/22/a-silver-bullet-for-the-attacker-a-study-into-the-security-of-hardware-license-tokens/
- CVE-2017-11485 (Sentinel LDK Buffer Overflow)
- ICS-CERT Advisory (ICSA-17-234-01)