The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns. In this talk we will present results of hands-on vulnerability research of different components of AI infrastructure including NVIDIA DGX GPU servers, ML frameworks such as Pytorch, Keras and Tensorflow, data processing pipelines and specific applications, including Medical Imaging and face recognition powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.

1. 1
Vulnerabilities of Machine
Learning Infrastructure
Sergey Gordeychik
- セルゲイ・ゴディチック
serg.gordey@gmail.com
@scadasl

2. Sergey Gordeychik
§ AI and Cybersecurity Executive
• Abu Dhabi, UAE
§ Visiting Professor, Cyber Security
• Harbour.Space University, Barcelona, Spain
§ Program Chair, PHDays Conference
• www.phdays.com, Moscow
§ Bandleader, www.GradeZero.band
§ Cyber-physical troublemaker
• SCADA Strangelove, HackingOdyssey
• www.scada.sl, @scadasl
§ Ex…
• Deputy CTO, Kaspersky Lab
• CTO, Positive Technologies
• Gartner recognized products and services
2

3. Disclaimer
Please note, that this talk is by Sergey and Hacking Odyssey group.
We don't speak for our employers.
All the opinions and information here are of our responsibility. So, mistakes and bad
jokes are all OUR responsibilities.
3https://github.com/sdnewhophttps://scada.sl/
Hacking Odyssey Group
Sergey Gordeychik
Anton Nikolaev
Denis Kolegov
Maria Nedyak
Roman Palkin
Hacking Odyssey Projects
Grinder Framewrok
AISec
DICOM Sec
SD-WAN New Hop

4. 4

5. 5
PWN?
Adversarial example
anyone?

6. 6
Adversarial example?

7. 7

8. 8

9. 9

10. 10

11. 11
Hacking as usual…
https://slideplayer.com/slide/4378533/

12. 12
Spherical AI traveling in a vacuum?

13. 13
What is
AI Infrastructure?

14. 14
You should
scan all
these
Internets for
AI

15. 15
Grinder Framework
github.com/sdnewhop/grinder

16. AIFinger Project
The goals of the project is to provide tools and results of passive and active fingerprinting of
Machine Learning Frameworks and Applications using a common Threat Intelligence
approach and to answer the following questions:
● How to detect ML backend systems on the Internet and Enterprise network?
● Are ML apps secure at Internet scale?
● What is ML apps security level in a general sense at the present time?
● How long does it take to patch vulnerabilities, apply security updates to the ML
backend systems deployed on the Internet?
sdnewhop.github.io/AISec/
github.com/sdnewhop/AISec
Contributors:
● Sergey Gordeychik
● Anton Nikolaev
● Denis Kolegov
● Maria Nedyak

17. AIFinger Project Coverage
● Frameworks
○ TensorFlow
○ NVIDIA DIGITS
○ Caffe
○ TensorBoard
○ Tensorflow.js
○ brain.js
○ Predict.js
○ ml5.js
○ Keras.js
○ Figue.js
○ Natural.js
○ neataptic.js
○ ml.js
○ Clusterfck.js
○ Neuro.js
○ Deeplearn.js
○ Convnet.js
○ Synaptic.js
○ Apache mxnet
● Databases with ML Content
○ Elasticsearch with ML data
○ MongoDB with ML data
○ Docker API with ML data
● Databases
○ Elasticsearch
○ Kibana (Elasticsearch
Visualization Plugin)
○ Gitlab
○ Samba
○ Rsync
○ Riak
○ Redis
○ Redmon (Redis Web UI)
○ Cassandra
○ Memcached
○ MongoDB
○ PostgreSQL
○ MySQL
○ Docker API
○ CouchDB
● Job and Message Queues
○ Alibaba Group Holding AI Inference
○ Apache Kafka Consumer Offset Monitor
○ Apache Kafka Manager
○ Apache Kafka Message Broker
○ RabbitMQ Message Broker
○ Celery Distributed Task Queue
○ Gearman Job Queue Monitor
● Interactive Voice Response (IVR)
○ ResponsiveVoice.JS
○ Inference Solutions
● Speech Recognition
○ Speech.js
○ dictate.js
○ p5.speech.js
○ artyom.js
○ SpeechKITT
○ annyang
Measuring Artificial Intelligence and Machine Learning Implementation Security on the Internet
https://www.researchgate.net/publication/337771481_Measuring_Artificial_Intelligence_and_Machine_Learning_Implementation_Security_on_the_Internet

18. 18
Results (April 2020)
http://www.scada.sl/2020/04/ai-internet-census-april-2020.html

19. 19
Databases

20. 20
Dockers

21. 21
NVIDIA DIGITS
§ Training logs
§ Datasets
§ Model design

22. 22
Tensorboard
§ …
§ Everything
§ + vulns
The TensorFlow server is meant
for internal communication only.
It is not built for use in an
untrusted network.
Totally more than 120 results

23. Kubeflow

24. June 2020
https://www.microsoft.com/security/blog/2020/06/10/misconfigured-kubeflow-workloads-are-a-
security-risk/
observed deployment of a suspect image from a public repository on many different
clusters. The image is ddsfdfsaadfs/dfsdf:99. By inspecting the image’s layers, we can
see that this image runs an XMRIG miner:
Large scale campaign against Kubernetes and Kuberflow clusters
that abused exposed Kubernetes dashboards for deploying
cryptocurrency miner

25. 25
To find a ML Server
in the
Internet?

26. 26
GPGPU?

27. 27
Crypto currency on GPGPU in 2019?
https://www.zoomeye.org/searchResult?q=%2Bport%3A%225555%22%20%2Bservice%3A%22http%22%20NVIDIA

28. 28
DGX-1
§ 8 Tesla V100-32GB
§ TFLOPS (deep learning) 1000
§ CUDA Cores 40,960
§ Tensor Cores 5,120
§ $130,000
§ Good hashcat rate :) NetNTLMv2: 28912.2 MH/s
MD5: 450.0 GH/s
SHA-256: 59971.8 MH/s
MS Office 2013: 163.5 kH/s
bcrypt $2*$, Blowfish (Unix): 434.2 kH/s
https://hashcat.net/forum/thread-6972.html

29. 29
Other things?

30. 30
SNMPWALK

31. 31
Ok, let’s scan!
Nmap scan report for X.X.X.X
Host is up (0.010s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
80/tcp open http lighttpd
427/tcp open svrloc?
443/tcp open ssl/http lighttpd
623/udp open ipmi
554/tcp filtered rtsp
1723/tcp filtered pptp
5120/tcp open barracuda-bbs?
5988/tcp open wbem-http?
5989/tcp open ssl/wbem-https?

32. 32
CVE-2013-4786 - 2019

33. 33
Use c0mp13x passwords!

34. 34
I have only one question!
http://www.demotivation.us/i-have-only-one-question-1267735.html
Why it
still
enabled
by default
in 2020?
What do
you
need a
helmet
for?
How the complex password will help?!!

35. 35
Strange certificate
Issued by Quanta Computers Inc?
128 bytes (1024) RSA key?..
Issued 17 of April 2017…
Same serial over the Internet!!!

36. 37
Find and decode firmware
Google for Quanta Computers BMC firmware
binwalk
7-zip
Voilà

37. 38
Grep the cert and keys
TLS services on BMC uses RSA 1024
with weak cyphers, default Diffie-
Hellman primitives.
The private/public keys are hardcoded
in firmware and are the same for many
instances of
Quanta Computers BMC, including
NVIDIA DGX-1.
Public and private keys can be found
unencrypted in
Firmware.
This allow passively decrypt network
communications without MITM
conditions.

38. 39
Other greps?
NetNTLMv2: 28912.2 MH/s
MD5: 450.0 GH/s
SHA-256: 59971.8 MH/s
MS Office 2013: 163.5 kH/s
bcrypt $2*$, Blowfish (Unix): 434.2 kH/s
Can we use DGX to bruteforce DGX password hash?!

39. 40
Or just ask Google?!

40. 41
IPMI passwords
/conf/BMC1/IPMIConfig.dat

41. 42Looks like encryption

42. 43
…and decryption
BlowFish without IV is used as implemented in libblowfish.so.2.5.0
Hint:

43. 44
Lesson learned
• Please don’t use one way hashing with salt. Use plaintext or reversible
encryption.
• Password encryption key should be hardcoded and stored in same folder as a
user database.
• It is important to keep it like the product name.
• Store it in several places across the filesystem for resilience.

44. 45
Hardcoded RC4 Key in JViewer-SOC
• JViewer-SOC (KVM and IPMI applet) use RC4 cipher with a hardcoded key for traffic
encryption.
• In the JViewer-SOC java applet com.ami.kvm.jviewer.soc.video package contains Decoder
• class.
• This class defines DecodeKeys constant which is equal to “fedcba9876543210”.
• Constant is used to initialize RC4 key scheduling (expansion) algorithm.
This allows an attacker to bypass security features, decrypt traffic and extract sensitive
information.

45. 46
Insecure random number generator in RAKP/AES
• JSOL.jar/com/ami/jsol/common/Util.java defines functions random4ByteArray
and random16ByteArray.
• The Random function from java.util.Random class is used.
• These functions are used within RAKP crypto protocol implementation.
• According to the specification of the RAKP it is based on Bellare-Rogaway
protocols .
• The issue is that the 1 protocols require random numbers in cryptographically
sense.
The same function is used to generate IV for AES encryption in the processEncryption function
of IPMISession class.

46. 47
CSRF is not an issue….
A vulnerability to Cross-Site Request Forgery (CSRF) attack was found in the Nvidia BMC
Web Service. It allows an attacker to force an authenticated user to execute the API
endpoints within the web application.
There is a list of internal queries which require active session authentication and don’t
require CSRF token.
/rpc/ getsessiontoken .asp
/rpc/ getrole.asp
/rpc/ getadvisercfg.asp
/rpc/ getvmediacfg.asp
/rpc/ flash_browserclosed.asp
/rpc/ getvideoinfo.asp
/rpc/ getsessiontoken.asp
/rpc/ getrole.asp
/rpc/ downloadvideo.asp
/rpc/ restarthttps.asp
/rpc/ getvmediacfg.asp
/rpc/ getadvisercfg.asp

47. 48
Unrestricted SingImage key upload
SingImage upload feature in DGX-1 BMC accept any correct RSA 1024 public key without any verification.
This key is used to verify firmware signature.
SignImage upload routine, implemented in libifc.so.2.42.0 WebValidateSignImageKey function accept any
correct RSA 1024 public key without any verification of authenticity of the key and store it in the
/conf/public.pem.
CheckImageSign function implemented in libipmimsghndlr.so use public.pem to verify firmware signature.

48. 49
Unrestricted File Upload through CSRF
Web-server handler libmodhapi.so defines stripped function at 0x8BE0
address. This function is being called when an authorized user sends POST request to
/page/file_upload.html .
If a POST request is multipart/form-data this function checks for file argument and if its name
doesn’t end with a ‘/’ symbol¨ looks up for a file path in the hardcoded fille-argument-name-to-
file-path mapping.
However if the argument name ends with ‘/’¨ file is being saved at the file system defined as file
argument name filename.
Thus it is possible to upload custom files and overwrite existing ones with user-defined
absolute path.
Example attack vector - overwrite ./shadow or ./passwd file in the “/conf/” folder to create/modify
users and/or replace default shell to get remote root access via ssh.
Vulnerability can be exploited via CSRF.

49. 50
Attack

50. 51
List of fixes
AISec-NV-2019-01 - Hardcoded admin user (CVE-2020-11483)
AISec-NV-2019-03 - SNMP with well-known community strings enabled by default (CVE-2020-11489)
AISec-NV-2019-04 - Hardcoded RSA keys and self-signed certificate for TLS (CVE-2020-11487)
AISec-NV-2019-10 - Insecure random number generator in RAKP/AES (CVE-2020-11616)
AISec-NV-2019-11 - Hardcoded RC4 Key in JViewer-SOC (CVE-2020-11615)
AISec-NV-2019-15 – Internal methods are vulnerable to CSRF attack (CVE-2020-11485)
AISec-NV-2019-16 – Unrestricted File Upload through CSRF (CVE-2020-11486)
AISec-NV-2019-17 – Hardcoded IMPI passwords encryption key (CVE-2020-11484)
AISec-NV-2019-18 – Unrestricted SingImage key upload (CVE-2020-11488)
Credits: Sergey Gordeychik, Maria Nedyak, Denis Kolegov, Roman Palkin

51. 52
Other things?

52. 53
Any bugs there?
We don’t know yet

53. 54
Disclosure timeline
Tue, 3 Sep 2019, 16:42 – Initial submission
Thu, 19 Sep 2019, 00:40– List of internet-faced DGXs collected by Grinder
Sun, 22 Sep 2019, 23:05 – Ack and workaround discussion
Sat, 5 Oct 2019, 19:50 – Remote root submission
Tue 17 Dec 2019, 21:00 – Call with Alex Matrosov to discuss soooo responsible
disclosure
Feb 2020 – COVID 19 outbreak, cancellation of PHDays and OFFZONE
April – Aug 2020 – GradeZero Rock’n’roll
Tue, 25 Aug, 21:10 – Failed fix (QA issues)
Now – Fixes, Initial disclosure @CodeBlue 2020
Kudos to Alex, Shawn, NVIDIA PSIRT

54. 55
Supply chain is a pain
Megarac SP (DGX-1)
Quanta Computer Inc.
IBM (BMC Advanced System Management)
Lenovo (ThinkServer Management Module)
Hewlett Packard Enterprise Megarac
Mikrobits (Mikrotik)
Megarac SP-X (DGX-2)
Netapp
ASRockRack IPMI
ASUS ASMB9-iKVM
DEPO Computers
TYAN Motherboard
Gigabyte IPMI Motherboards
Gooxi BMC

55. 56
Takeaways
• Big Thing doesn’t mean good security
• Good AI researches are bad cybersec pro
• All vulnerabilities are important
• Supply chain is a pain
• Things are better with Grinder J

56. 57
Infection of the AI models
http://www.scada.sl/2019/11/malign-machine-learning-models-and-bad.html

57. 58
Hacking Medical Imaging
http://www.scada.sl/2020/07/hacking-odyssey-at-hitblockdown002.html

58. 59
What can we do?
For Researchers
AI Cybersecurity is Green Field
From SDN to Model Privacy, from Secure SDL to Adversarial
Robustness
For Enterprises
Don’t trust AI if adversarial “input” is possible
AI IS NOT spherical model traveling in a vacuum!
For Governments
Centralize data and annotation
Force vendors to follow security best practices from the beginning
Detect and control AI-based abuses