Siemens PLC Feature Can Be Exploited for Evil

Siemens PLC Feature Can Be Exploited for Evil - and for Good

A hidden feature in some newer models of the vendors programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it.

An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.
Researchers at Ruhr University Bochum in Germany stumbled across the hardware-based special access feature in Siemens S7-1200 PLCs while studying its bootloader, which, among other things, handles software updates and verifies the integrity of the PLCs firmware when the device starts up.
They found that an attacker using the special access feature could bypass the bootloaders firmware integrity check within a half-second window when the PLC starts up and load malicious code to wrest control of the PLCs processes.
Just why the special access feature resides in the PLCs remains a mystery. There have been cases of embedded devices found harboring hidden maintenance ports left behind by vendors, for example, but the researchers were baffled by the existence of this one in the Siemens PLCs.
We dont know why [Siemens has] this functionality, says Ali Abbasi, a research scholar at Ruhr-University Bochum, who, along with PhD student Tobias Scharnowski and professor Thorsten Holz, worked on the research. Security-wise, its wrong to have such a thing because you can also read and write to memory and dump the content of memory from the RAM.
The researchers shared their findings with Siemens, which says its working on a fix for the vulnerability.
Siemens is aware of the research from Ruhr University Bochum concerning hardware-based special access in SIMATIC S7-1200 CPUs. Siemens experts are working on a solution to resolve the issue. Siemens plans to publish further information regarding the vulnerability with a security advisory, the company said in a statement provided to Dark Reading. Customers will be informed using the usual
Siemens ProductCERT communication channels
.
A key question is whether the fix requires a hardware replacement rather than a software update. When asked whether the PLC fix would be a software or hardware update, Siemens said its experts are evaluating the alternatives.
But it turns out there is a silver lining with the Siemens PLC special access feature: Its also useful for people like us who protect these devices. It provides for memory forensics of the PLC, Abbasi says.
The researchers were able to use the special access feature to view the content of the PLC memory, which means a plant operator could spot malicious code that may have been planted on his or her device. Siemens doesnt let you see the content of the [PLC] memory, but you can do that with this special access feature, Abbasi says.
The researchers built a tool that performs this forensic memory dump, which they will release
at Black Hat Europe next month
in London when they will present their research findings
What They Did
The researchers were able to write their own code to the PLCs flash chip via its firmware update feature without the bootloaders checksum feature detecting it. The question, they say, is how to mitigate this type of attack since malicious code would be embedded into the flash memory of the bootloader.
It really depends if Siemens can fix it via a software update or not. If they can with software, it also means the attacker can override the contents of the bootloader, which means theres no way to fix it, Abbasi says.
Thats one reason the researchers wanted to release their tool for dumping contents of the firmware. That then means an attacker cant hide his existence in the PLC, Abbasi says.
An attacker with physical access to the port, or by rigging the PLC while its being manufactured in the supply chain, could use this technique to read and write to the memory of the hardware. That would allow him or her to manipulate the operation of the PLC, providing phony measurements or other instrumentation data, for example.
One of the main issues is theres this notion of trust in a newly delivered PLC, Scharnowski says.
He notes that its not the special access feature itself that allows you to read and write to the flash. Its a combination of features that if you put them together in a clever way, you can use them to get your own code execution on it, Scharnowski says. If you can do that, then you can control the PLC fully.
Props for Siemens Security
The researchers say they chose to study Siemens PLCs because its one of the market leaders and also because theres little known publicly about the PLCs operating system, Adonis.
While many embedded systems today remain poorly secured, they say Siemens has done more with security than some other vendors.
Honestly, if you compare them to other PLCs, they are doing very well. They keep adding features and security features that we have to bypass, Abbasi says. They are doing a lot of good things that place them ahead of others in the embedded security domain.
Even so, the researchers maintain theres a lot more work to do in protecting plant operators from attackers or supply chain corruption of their PLCs. If theres a special feature like the one in Siemens PLCs, they say, the vendor should inform their customers. Customers deserve to know so in their risk calculation they can consider this risk as well, Abbasi says.
The Ruhr University Bochum teams work is the latest in a string of PLC research projects. This summer another team of security researchers built a phony engineering workstation that was able to
dupe and alter operations of the Siemens S7 programmable logic controller (PLC)
after discovering that modern S7 PLC families running the same firmware also share the same public cryptographic key.
And in 2016, Abbasi, then a Ph.D. candidate at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, created a PLC rootkit that could operate on any brand of PLC.
Related Content:
Siemens S7 PLCs Share Same Crypto Key Pair, Researchers Find
PLCs Possessed: Researchers Create Undetectable Rootkit
Stealthy New PLC Hack Jumps the Air Gap
8 Trends in Vulnerability and Patch Management

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for
more information
and, to register,
here
.

Last News
▸ Twitter adds SMS for enhanced security. ◂ Discovered: 26/12/2024 Category: security	▸ Hacking journalists case revives security research legal debates. ◂ Discovered: 26/12/2024 Category: security	▸ Fresh report reveals attackers targeting electric grid. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Siemens PLC Feature Can Be Exploited for Evil - and for Good