Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe.
In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software.
The presentation is just the latest indication of widespread vulnerabilities in the software and hardware used to run everything from nuclear power and water treatment plants to prisons and on manufacturing assembly lines.
Of the 18 vulnerabilities, almost all should be considered “critical,” Beresford said during an interview on Tuesday. The most serious among them include evidence of a permanent (or “hard coded”) administrative password in some versions of the S7-300 series programmable logic controllers that would give an attacker access to diagnostic functions on the devices. ICS CERT, part of the U.S. Department of Homeland Security, issued an advisory in July warning S7 customers about the discovery, which affects S7-300 PLCs with integrated Profinet interface shipped before October 2009, and IM15x Profinet PLCs shipped before September 2010. Siemens has already released patched versions of the firmware for the affected S7-300 devices, according to ICS-CERT.
A separate vulnerability discovered by Beresford could allow a remote attacker to carry out a denial of service attack against Siemens s7 1200 ICS devices. Such a vulnerability could cause severe disruption, especially in industries where industrial machinery often operates in remote settings that can’t be monitored or attended to. Beresford declined to describe the DOS vulnerability, noting that no patch is currently available for it.
On the lighter side, Beresford claims to have also discovered an “Easter Egg” program embedded in the S7 code that, when run, displays an animation of dancing monkeys.
The researcher will use his presentation at Black Hat to illustrate his ability to disrupt the operation of Siemens S7-300 and 1200 controllers, carrying out so-called “replay attacks” in which administrative commands are captured and then replayed to vulnerable devices in ways that give an attacker access to critical device information or administrative features, or allow an attacker to disrupt the operation of the PLC. The talk is in lieu of one he had planned to give at TakedownCon in June. He cancelled that talk voluntarilly after Siemens and ICS CERT raised concerns about the impact of a public disclosure of the holes.
Beresford authored Metasploit modules for many of the vulnerabilities that will make testing for vulnerable PLCs easy for even novice users. However, those modules will not be released until Siemens has issued patches for the holes and ample time has been given for customers to apply those patches. Patch windows often stay open far longer in critical infrastructure, given the high cost and disruption caused by any interruption in service.
In most cases, an attacker would need to be connected to the same network as the PLC device, or to have planted malicious code on that network that could carry out the attack. However, Beresford said that some of the vulnerabilities he discovered lend themselves to use in a Stuxnet like worm that could propagate between non-critical and critical systems on a network before striking their actual target.
The new revelations from Beresford, a researcher for NSS Labs, comes on the heels of a discovery, in July, of a weakness in its Simatic S7 programmable logic controllers that could allow a remote attacker to intercept and decipher passwords, or change the configuration of the devices. Siemens and US CERT issued an advisory at that time and advised customers to restrict physical and logical access to its Simatic Industrial Automation products. He has also performed research into SCADA and industrial control system software at use within China, the U.S. and Europe, leading to a number of reports to China’s CERT organization about vulnerable critical infrastructure in that country.
Meeting with reporters and representatives from ICS-CERT, NERC and Siemens in his hotel room, Beresford says that his research is intended to counter the public impression that only sophisticated attackers and nation states have the means to hack into industrial control systems. To the contrary, Beresford says that his research required an up front investment of just a few thousand dollars and was conducted from his apartment in his spare time, using refurbished S7 PLCs purchased online. Many of the core components and protocols of such systems, such as the ISO Transport Service on top of the TCP weren’t designed with security in mind, and havent been updated for more than two decades, Beresford noted.
The demonstration is one of a few at the Black Hat and DEFCON hacking conferences this week that will tackle vulnerabilities in SCADA and industrial control system software. A team of researchers will also demonstrate how PLCs used to run industrial systems in prisons could be vulnerable to compromise, also.
The increasing attention to SCADA systems comes on the heels of Stuxnet. It is bound to add pressure to both the Department of Homeland Security and firms like Siemens to take a hard look at the security of PLCs and other industrial control equipment. Long considered too specialized and remote to be vulnerable to attack, the devices are finally getting attention from security researchers, who have found them to be wanting. The wide range of deployment possibilities for equipment like the S7 PLCs makes it hard for Siemens to know where or how they will be used, or what the implications of a vulnerability or attack might be.
