Dillon Beresford


UPDATE: Looking For a ‘FireSheep’ Moment, Researchers Lay Bare Woeful SCADA Security

Miami, Florida – A no-holds barred presentation at the S4 Conference laid bare the woeful state of security for many industrial control systems that power the world’s critical infrastructure. Organizers have also cooperated with security scanning firms Rapid7 and Tenable to release modules for the Metasploit and Nessus products that can test for the discovered security holes.


A month after an unknown gray hat hacker calling himself “pr0f” used a three character password to hack his way onto computers used to manage water treatment equipment in South Houston, Texas, a security researcher is accusing the company that makes the industrial control system (ICS) software, Siemens, of trying to cover up the existence of other, more serious vulnerabilities.

The Stuxnet worm may be the most famous piece of malicious software ever written. When it was first detected, a little over a year ago, the worm sounded a warning to nations around the world that critical infrastructure systems were potential targets of attack for foreign governments and cyber criminal organizations alike. But with the anniversary of the Stuxnet worm’s discovery just past, the Department of Homeland Security admits that it is now reevaluating whether it makes sense to warn the public about all of the security failings of industrial control system (ICS) and SCADA software. 

Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe.  

The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.