English-Video.net comment policy

The comment field is common to all languages

Let's write in your language and use "Google Translate" together

Please refer to informative community guidelines on TED.com

TED2011

Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

Filmed
Views 1,357,442

When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team helped crack the code that revealed this digital warhead's final target. In a fascinating look inside cyber-forensics, he explains how -- and makes a bold (and, it turns out, correct) guess at its shocking origins.

- Security consultant
Ralph Langner is a German control system security consultant. He has received worldwide recognition for his analysis of the Stuxnet malware. Full bio

The idea behind the Stuxnet computer worm
00:15
is actually quite simple.
00:18
We don't want Iran to get the bomb.
00:20
Their major asset for developing nuclear weapons
00:23
is the Natanz uranium enrichment facility.
00:26
The gray boxes that you see,
00:30
these are real-time control systems.
00:32
Now if we manage to compromise these systems
00:35
that control drive speeds and valves,
00:38
we can actually cause a lot of problems
00:41
with the centrifuge.
00:44
The gray boxes don't run Windows software;
00:46
they are a completely different technology.
00:48
But if we manage
00:51
to place a good Windows virus
00:53
on a notebook
00:56
that is used by a maintenance engineer
00:58
to configure this gray box,
01:00
then we are in business.
01:03
And this is the plot behind Stuxnet.
01:05
So we start with a Windows dropper.
01:08
The payload goes onto the gray box,
01:13
damages the centrifuge,
01:16
and the Iranian nuclear program is delayed --
01:18
mission accomplished.
01:20
That's easy, huh?
01:22
I want to tell you how we found that out.
01:24
When we started our research on Stuxnet six months ago,
01:27
it was completely unknown what the purpose of this thing was.
01:30
The only thing that was known
01:33
is it's very, very complex on the Windows part, the dropper part,
01:35
used multiple zero-day vulnerabilities.
01:38
And it seemed to want to do something
01:41
with these gray boxes, these real-time control systems.
01:44
So that got our attention,
01:46
and we started a lab project
01:48
where we infected our environment with Stuxnet
01:50
and checked this thing out.
01:54
And then some very funny things happened.
01:56
Stuxnet behaved like a lab rat
01:59
that didn't like our cheese --
02:02
sniffed, but didn't want to eat.
02:05
Didn't make sense to me.
02:07
And after we experimented with different flavors of cheese,
02:09
I realized, well, this is a directed attack.
02:12
It's completely directed.
02:16
The dropper is prowling actively
02:18
on the gray box
02:20
if a specific configuration is found,
02:22
and even if the actual program code that it's trying to infect
02:25
is actually running on that target.
02:29
And if not, Stuxnet does nothing.
02:31
So that really got my attention,
02:34
and we started to work on this
02:36
nearly around the clock,
02:38
because I thought, "Well, we don't know what the target is.
02:40
It could be, let's say for example,
02:43
a U.S. power plant,
02:45
or a chemical plant in Germany.
02:47
So we better find out what the target is soon."
02:49
So we extracted and decompiled
02:52
the attack code,
02:54
and we discovered that it's structured in two digital bombs --
02:56
a smaller one and a bigger one.
02:59
And we also saw that they are very professionally engineered
03:02
by people who obviously had all insider information.
03:06
They knew all the bits and bites
03:10
that they had to attack.
03:12
They probably even know the shoe size of the operator.
03:14
So they know everything.
03:17
And if you have heard that the dropper of Stuxnet
03:19
is complex and high-tech,
03:22
let me tell you this:
03:24
the payload is rocket science.
03:26
It's way above everything
03:28
that we have ever seen before.
03:30
Here you see a sample of this actual attack code.
03:33
We are talking about --
03:36
around about 15,000 lines of code.
03:38
Looks pretty much like old-style assembly language.
03:41
And I want to tell you how we were able
03:44
to make sense out of this code.
03:46
So what we were looking for is, first of all, system function calls,
03:48
because we know what they do.
03:51
And then we were looking for timers and data structures
03:53
and trying to relate them to the real world --
03:57
to potential real world targets.
03:59
So we do need target theories
04:01
that we can prove or disprove.
04:04
In order to get target theories,
04:07
we remember
04:09
that it's definitely hardcore sabotage,
04:11
it must be a high-value target
04:13
and it is most likely located in Iran,
04:15
because that's where most of the infections had been reported.
04:18
Now you don't find several thousand targets in that area.
04:22
It basically boils down
04:25
to the Bushehr nuclear power plant
04:27
and to the Natanz fuel enrichment plant.
04:29
So I told my assistant,
04:31
"Get me a list of all centrifuge and power plant experts from our client base."
04:33
And I phoned them up and picked their brain
04:36
in an effort to match their expertise
04:38
with what we found in code and data.
04:40
And that worked pretty well.
04:43
So we were able to associate
04:45
the small digital warhead
04:47
with the rotor control.
04:49
The rotor is that moving part within the centrifuge,
04:51
that black object that you see.
04:54
And if you manipulate the speed of this rotor,
04:56
you are actually able to crack the rotor
04:59
and eventually even have the centrifuge explode.
05:01
What we also saw
05:05
is that the goal of the attack
05:07
was really to do it slowly and creepy --
05:09
obviously in an effort
05:12
to drive maintenance engineers crazy,
05:14
that they would not be able to figure this out quickly.
05:17
The big digital warhead -- we had a shot at this
05:20
by looking very closely
05:23
at data and data structures.
05:25
So for example, the number 164
05:27
really stands out in that code;
05:29
you can't overlook it.
05:31
I started to research scientific literature
05:33
on how these centrifuges
05:35
are actually built in Natanz
05:37
and found they are structured
05:39
in what is called a cascade,
05:41
and each cascade holds 164 centrifuges.
05:43
So that made sense, that was a match.
05:47
And it even got better.
05:49
These centrifuges in Iran
05:51
are subdivided into 15, what is called, stages.
05:53
And guess what we found in the attack code?
05:57
An almost identical structure.
05:59
So again, that was a real good match.
06:01
And this gave us very high confidence for what we were looking at.
06:04
Now don't get me wrong here, it didn't go like this.
06:07
These results have been obtained
06:10
over several weeks of really hard labor.
06:13
And we often went into just a dead end
06:16
and had to recover.
06:19
Anyway, so we figured out
06:21
that both digital warheads
06:23
were actually aiming at one and the same target,
06:25
but from different angles.
06:27
The small warhead is taking one cascade,
06:29
and spinning up the rotors and slowing them down,
06:32
and the big warhead
06:35
is talking to six cascades
06:37
and manipulating valves.
06:39
So in all, we are very confident
06:41
that we have actually determined what the target is.
06:43
It is Natanz, and it is only Natanz.
06:45
So we don't have to worry
06:48
that other targets
06:50
might be hit by Stuxnet.
06:52
Here's some very cool stuff that we saw --
06:54
really knocked my socks off.
06:57
Down there is the gray box,
06:59
and on the top you see the centrifuges.
07:01
Now what this thing does
07:04
is it intercepts the input values from sensors --
07:06
so for example, from pressure sensors
07:09
and vibration sensors --
07:11
and it provides legitimate program code,
07:13
which is still running during the attack,
07:16
with fake input data.
07:18
And as a matter of fact, this fake input data
07:20
is actually prerecorded by Stuxnet.
07:22
So it's just like from the Hollywood movies
07:25
where during the heist,
07:27
the observation camera is fed with prerecorded video.
07:29
That's cool, huh?
07:32
The idea here is obviously
07:35
not only to fool the operators in the control room.
07:37
It actually is much more dangerous and aggressive.
07:40
The idea
07:44
is to circumvent a digital safety system.
07:46
We need digital safety systems
07:50
where a human operator could not act quick enough.
07:52
So for example, in a power plant,
07:55
when your big steam turbine gets too over speed,
07:57
you must open relief valves within a millisecond.
08:00
Obviously, this cannot be done by a human operator.
08:03
So this is where we need digital safety systems.
08:06
And when they are compromised,
08:08
then real bad things can happen.
08:10
Your plant can blow up.
08:13
And neither your operators nor your safety system will notice it.
08:15
That's scary.
08:18
But it gets worse.
08:20
And this is very important, what I'm going to say.
08:22
Think about this:
08:25
this attack is generic.
08:27
It doesn't have anything to do, in specifics,
08:30
with centrifuges,
08:34
with uranium enrichment.
08:36
So it would work as well, for example,
08:39
in a power plant
08:42
or in an automobile factory.
08:44
It is generic.
08:47
And you don't have -- as an attacker --
08:49
you don't have to deliver this payload
08:51
by a USB stick,
08:54
as we saw it in the case of Stuxnet.
08:56
You could also use conventional worm technology for spreading.
08:58
Just spread it as wide as possible.
09:01
And if you do that,
09:04
what you end up with
09:06
is a cyber weapon of mass destruction.
09:08
That's the consequence
09:14
that we have to face.
09:16
So unfortunately,
09:19
the biggest number of targets for such attacks
09:22
are not in the Middle East.
09:25
They're in the United States and Europe and in Japan.
09:27
So all of the green areas,
09:30
these are your target-rich environments.
09:32
We have to face the consequences,
09:35
and we better start to prepare right now.
09:38
Thanks.
09:41
(Applause)
09:43
Chris Anderson: I've got a question.
09:49
Ralph, it's been quite widely reported
09:53
that people assume that Mossad
09:55
is the main entity behind this.
09:57
Is that your opinion?
09:59
Ralph Langner: Okay, you really want to hear that?
10:02
Yeah. Okay.
10:04
My opinion is that the Mossad is involved,
10:06
but that the leading force is not Israel.
10:09
So the leading force behind that
10:12
is the cyber superpower.
10:14
There is only one,
10:17
and that's the United States --
10:19
fortunately, fortunately.
10:21
Because otherwise,
10:23
our problems would even be bigger.
10:25
CA: Thank you for scaring the living daylights out of us. Thank you, Ralph.
10:28
(Applause)
10:32

▲Back to top

About the speaker:

Ralph Langner - Security consultant
Ralph Langner is a German control system security consultant. He has received worldwide recognition for his analysis of the Stuxnet malware.

Why you should listen

Ralph Langner heads Langner, an independent cyber-security firm that specializes in control systems -- electronic devices that monitor and regulate other devices, such as manufacturing equipment. These devices' deep connection to the infrastructure that runs our cities and countries has made them, increasingly, the targets of an emerging, highly sophisticated type of cyber-warfare. And since 2010, when the Stuxnet computer worm first reared its head, Langner has stood squarely in the middle of the battlefield.

As part of a global effort to decode the mysterious program, Langner and his team analyzed Stuxnet's data structures, and revealed what he believes to be its ultimate intent: the control system software known to run centrifuges in nuclear facilities -- specifically, facilities in Iran. Further analysis by Langner uncovered what seem to be Stuxnet's shocking origins, which he revealed in his TED2011 talk. (PS: He was right.)

More profile about the speaker
Ralph Langner | Speaker | TED.com