UPDATE – Stuxnet Expert: Analysis Shows Design Flaw, Not Vulnerability Sunk Siemens

MIAMI–The world’s foremost expert on the Stuxnet worm said an analysis of source code for a critical component of the malware prove that Iran’s nuclear program was the target, and that attackers were able to exploit weak design in Siemens software, rather than having to exploit a software vulnerability to carry out their attack.

StuxnetMIAMI–The world’s foremost expert on the Stuxnet worm said an analysis of source code for a critical component of the malware prove that Iran’s nuclear program was the target, and that attackers were able to exploit weak design in Siemens software, rather than having to exploit a software vulnerability to carry out their attack.

Ralph Langner, an independent security researcher, presented his analysis of specialized code used by the Stuxnet worm to an exploit Siemens Simatic S7-417 programmable logic controllers (PLCs) to an audience of his peers: industrial control security experts at the annual S4 Conference. In it, Langner stepped through decompiled code used by Stuxnet and open source intelligence, isolating key lines of code used in the attack and arguing that Stuxnet was designed by industrial control experts with a specific target in mind: the Iranian uranium enrichment facility in Natanz.

“I can say we now know Stuxnet’s target with a confidence of 100 percent,” Langner told the gathering of around 60 experts in SCADA and industrial control systems.

Langner was the first industrial control system expert to finger Iran as the likely target of the Stuxnet worm, which at first confounded virus researchers and security experts used to analyzing malicious code designed for compromising traditional IT infrastructures.  He has long claimed that the Stuxnet code used to compromise S7-417 PLCs proves Iran was the worm’s target, though this was the first time Langner shared the details of his analysis with the public.

With a news crew from the weekly news program 60 Minutes on hand to film his presentation, Langner walked attendees through the process he and others used to reverse engineer and decompile the worm’s code to yield the raw source code – the computer instructions that governed Stuxnet’s actions.

His analysis focused on a handful of code blocks that governed key aspects of the worm, and challenged earlier theories that the Stuxnet code designed for S7-417 programmable logic controllers was “incomplete” or not active. Langner believes that the code, while incapable of running on its own, was designed to leverage components of the specific applications used at Natanz – possibly a list of input/output addresses for that application – and would have worked perfectly in the Natanz environment.

Langner painstakingly connected the dots between components of the Stuxnet code with clues about the Iranian uranium enrichment culled from a variety of open source intelligence, including public statements by Iranian officials and photos from a visit to Natanz by Iranian President Ahmadinejad that inadvertently provided details on the configuration of centrifuges within Natanz.

Contrary to much of the public reporting on Stuxnet, however, Langner said that the worm was not designed to destroy the Natanz facility, but rather to secretly and stealthily control the process and steer it into a virtual ditch.

To do that, the attackers ran repeated attacks over a period of months and only under extremely specific conditions that made the malware’s activity impossible to notice. The code Langner analyzed revealed an incredibly deep understanding of the functioning of the Simatic software and the centrifuges that the Iranians relied on.

“These guys know the centrifuges better than the Iranians,” Langner said of the Stuxnet authors. “The know everything. They know the timing, they known the inputs, and they know it by heart.”

When it came to actually carrying out Stuxnet’s most insidious attack – changing the output of the S7 PLCs from the management software, the worm’s authors didn’t need to leverage a sophisticated hack. Instead, they simply took advantage of a poor design decision by Siemens, the vendor that makes the Simatic software.

“The vendor in question made a decision to make the (PLC) input process image read-write instead of read only,” Langner said. That decision may have seemed inconsequential to the vendor and its customers, but it allowed the Stuxnet authors to merely record process input, then simply “play back” that data to the PLC controller interface during an attack to make it seem as if the device was behaving normally.

Langner used his analysis to criticize both Siemens and the U.S. Department of Homeland Security, both of which he accused of failing to take the security issues seriously.

“This is one of the biggest problems in ICS security,” Langner said. “And these guys are not taking it seriously.”

Sophisticated attackers have no need to develop sophisticated, zero day exploits for SCADA and ICS systems, Langner said, because those systems already have so many inherent design flaws.

“If I were your attacker, I wouldn’t bother to discover a buffer overflow,” he said. “I’d just go to the design flaws, because they can be exploited much more reliably,” he said. “This is how the pros do it.”

Responding to Langner’s presentation, a Siemens spokesman said that the company is aware that its legacy Simatic product lines contain vulnerabilities and is working to fix those issues. 

“Additionally, Siemens is focused on developing new products with more robust safety and security features to adapt to the realities of the cyber world,” said Alexander Machowetz, head of media relations at Siemens Industrial in an e-mail statement. “Industrial Security is a two-way street. What we need now is to closely cooperate with plant operators and systems integrators to ensure the latest password protection and information security systems are in place. Let me reassure you that we take all researchers and their findings very seriously,” Machowetz wrote. 

Sean McBride of the SCADA and ICS security firm Critical Intelligence said that Langner’s presentation was impressive. “The amount of work he did to reverse engineer that code and analyze it is incredible,” he said. McBride said that Langner raised important points in talking about the role that poor and insecure design played in the Stuxnet attack and other such attacks. But he also wondered whether Langner might face the wrath of the U.S. government or the intelligence sector for providing such in depth analysis of the Stuxnet code to the public. “I think he was incredibly brave to get up there and give that presentation,” said McBride.

Suggested articles

Discussion

  • Rob on

    "that attackers were able to exploit weak design in Siemens software, rather than having to exploit a software vulnerability"


    Weak design IS a software vulnerability

  • ner0 on

    "Weak design IS a software vulnerability"

    Correct. I think what is meant here is that this specific exploit doesn't fit the common category where a flaw in an existing security policy allows the exploitation to occur given a specific approach, based on a set of readily available parameters. Since a potential threat was never assessed, it was vulnerable from day 1. The software is flawed by design and makes one wonder how has it survived thus far (Stuxnet) without raising serious question. I guess that getting a job as a security expert for ICS got really easier.

  • Anonymous on

    Incorrect! weak design is a security flaw A vulnerability is an implementation bug with security impact The difference is only relevant in academic circles
  • Anonymous on

    Weak design is NOT always a security flaw thus none of your definitions make any sense whatsoever.

  • Anonymous 50 on

    Let's face it Ladies, If you get access to the floor and you can stick a key in it, then game f'*in over, you are on the physical perimieter. You know, It could be done on DeltaV - Dvadmin, ABB, Allen Bradley etc.. // Siemens is dicked here because it happened overseas on a Nuke, If the attack where targeted to the USA // code || it would have been GE! Or well you know, code is code.

  • COPP on

    Thanks - Enjoyed this post, can you make it so I get an update sent in an email every time you make a new update?
  • SHUFF on

    I appreciate, cause I found exactly what I was looking for. You've ended my 4 day long hunt! God Bless you man. Have a great day. Bye

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.