A month after an unknown gray hat hacker calling himself “pr0f” used a three character password to hack his way onto computers used to manage water treatment equipment in South Houston, Texas, a security researcher is accusing the company that makes the industrial control system (ICS) software, Siemens, of trying to cover up the existence of other, more serious vulnerabilities.
Billy Rios, a respected security researcher who works for Google, used a post on his personal blog to discuss the security vulnerability in Siemens SIMATIC software. The hole could allow a remote attacker to gain access to the user interface without a user name and password, Rios said. Rios claims that he has disclosed the hole to Siemens and that the company has acknowledged the problem, only to deny its existence when a reporter asked for more information about the vulnerability.
Rios’s blog post fills in details about a range of security flaws and poorly designed features that make Siemens Simatic HMI (human machine interface) software a fat target for remote hackers who can use tools like the free Sh0dan scanner to find Internet-facing SCADA systems.
First: Rios notes that Siemens’s Simatic software ships with a weak, three character default password (“100”) which is used to secure the default administrative account and fails to require customers to immediately update the default password to a unique, hardened password upon installation. Security experts have speculated that the hacker known as “Pr0f” took advantage of the default Simatic password to get access to systems controlling water and sewer infrastructure in South Houston, Texas.
According to Rios, even organizations that think they’ve switched to a hardened password may be surprised to learn that they haven’t. During the Simatic installation, three different services are created: a Web service for the Web interface, a Telnet service for remote management of the device and a virtual network computing (VNC) service that is used for remote access and control of the Simatic software. All three are configured with the weak default password, but maintain their credentials separately. “Changing the default password for the Web interface doesn’t change the VNC password (and vice versa),” Rios writes. “I’ve found MANY of these services listening on the Internet.” In addition, customers who attempt to harden their Simatic password, but attempt to reset it to a non-conforming password (for example: one that uses special characters) may inadvertently reset the password to the weak default password, Rios said.
Finally, Rios claims that Siemens Simatic HMI Web application creates unique session cookies that are easy to clone and non-random. A clever attacker could develop a tool for predicting a valid session cookie, which could then be used to gain access to the HMI software even without a user name and password, Rios claims.
In an e-mail message to Threatpost, Rios said that he reported the issues regarding weak and insecure passwords, as well as cross site scripting holes to Siemens and the DHS ICS-CERT six months ago. He said he was angered to learn of Siemens’ official denials of the security holes. He said the company has privately acknowledged the holes to him and ICS-CERT and even reserved CVE (Common Vulnerabilities and Exposures) numbers for the vulnerabilities Rios disclosed.
“Why Siemens felt the need to blatantly deceive Reuters is beyond me…A simple “no comment” or “we don’t discuss these matters” would have been fine, instead Siemens chose to deceive Reuters (and the public) while at the same time discrediting me in front of the Reuters reporter,” he wrote.
Siemens did not respond to phone calls and e-mail messages seeking comment. However, this isn’t the first time the company has found itself on the wrong side of the security community. Researcher Dillon Beresford accused the company of downplaying serious holes in the software used to control Siemens Simatic programmable logic controllers (PLCs) in May, 2011 after Siemens moved to squelch a talk by Beresford at TakedownCon in Dallas, Texas. Siemens eventually patched the holes Beresford had identified, but downplayed their significance: saying they were created in a laboratory environment and under ideal circumstances that didn’t reflect real world deployments. SCADA experts like Ralph Langner have noted that many of the vulnerabilities exploited by the Stuxnet worm that were specific to SCADA systems (as opposed to Windows PCs and servers) remain unpatched.
The company, along with other SCADA software makers, has also argued that many of the reported “vulnerabilities” are, in fact, features of the software, not security holes. DHS has signalled that it might, also, stop referring to insecure features of SCADA products as vulnerabilities.
On Wednesday, Rios received support from other security experts who work on industrial control systems. Dale Peterson, founder of Digital Bond, a control system security research and consulting firm, responded, on Twitter, saying “Siemens lies again…But Siemens continues to get away with it from the CEO to engineer to PR type, so why stop if it is working?”