Critical security flaws found in Siemens' PLC series

Hard coded passwords, replay attacks and “Dancing Monkey” Easter Egg among potential security holes demonstrated at Black Hat conference.

Comments Off August 5, 2011
by Design Engineering Staff

Network security site, threatpost.com, reports that — at the annual Black Hat technical security conference this past Wednesday — Dillon Beresford, a researcher at security testing company NSS Labs, demonstrated a number of “critical” security holes in certain Siemens PLC models running the company’s Simatic Step 7 firmware.

Among the most serious of the reported flaws is a hardcoded username and password that was embedded or hard-coded in a version of S7-300 PLC model’s firmware. The backdoor, Beresford said, would allow an attacker to gain access to the PLC by Telnet or HTTP and execute commands or reprogram the entire unit.

Another serious vulnerability, called a “replay attack,” allows a hacker to capture commands transmitted between his own PC and Siemens PLC and then replay them to a remote Siemens PLC. Using this method, an attacker could shut down the controller or sabotage the processes the PLC controls.

Potentially affected PLCs in the line include Siemens S7-200, S7-300, S7-400 and S7-1200 PLC models. Siemens officials, who were also present at the conference, said they have issued alerts for the vulnerabilities and will begin sending out patches for some this week while other flaws will take longer to address.

While not a security fault in itself, Beresford said he also found an Easter Egg — a bit of hidden code programmers sometimes include as a sort of private in-joke – in some versions of the Step 7 software that, when run, displays a cartoon animation of dancing monkeys.

Read the full technical write-up at threatpost.com, Wired and CNET.