Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:13 PM
Connect Directly

SCADA Password-Cracking Tool For Siemens S7 PLCs Released

Siemens says no bug involved so no patch needed, and is working on simplifying patching overall for its customers

A Russian security researcher has unleashed a brute-force password-cracking tool that can capture passwords for Siemens S7 programmable logic controllers (PLC), which run machinery in power plants and manufacturing sites.

Sergey Gordeychik, a researcher with Positive Technologies, last week at the S4 2013 conference in Miami released the proof-of-concept tool that brute-force hacks the challenge-response information from a TCP/IP traffic exchange. The tool demonstrates how an attacker on an adjacent network could grab credentials for the PLCs simply by brute-force hacking for passwords.

S7 is the protocol used for communicating among engineering systems, SCADA, HMI, and PLC equipment, and can be password-protected. "We wrote two brute-force authentications for S7," Gordeychik says.

Siemens was the target of much of the vulnerability research at last week's conference, where another researcher also demonstrated how to intercept S7-400 PLC passwords. Erik Johansson, an independent consultant and researcher at the Royal Institute of Technology in Sweden, demonstrated how unpatched S7 systems are susceptible to attack and control by an unauthorized user who grabs their passwords. Siemens described the flaw as a security "weakness in the programming and configuration client software authentication method" that the S7 employs.

As one of the most prevalent vendors in the SCADA/ICS world, Siemens has been under the microscope of security researchers ever since it was revealed in 2010 that the Stuxnet attack zeroed in on its process control system products. The vendor, for the most part, has issued patches in response to bugs that are publicly reported, and also has begun updating its product families with more built-in security features as well as better-written code.

ICS-CERT issued a security alert about the password-cracker after Gordeychik's presentation last week. "ICS-CERT has notified the affected vendor of the report and has asked the vendor to confirm the attack vector and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks," the alert says.

[Researcher Dillon Beresford shows holes in Siemens programmable logic controllers (PLCs) that could lead to attacks. See Siemens Shows Up For Black Hat Demo Of SCADA Hack.]

Dr. Tobias Limmer of Siemens Product CERT team says the free tool doesn't go after any particular vulnerability in the S7 PLC. "This is not a vulnerability," Limmer says. "It's ... a tool that tries to get the password on" the PLCs, he says. "We don't need to release a patch" for this, he says.

Protection against password-cracking, he says, requires using strong passwords. "Eight characters is not enough," Limmer says. "The password should be as long as possible. If it's a good password, you should be protected."

ICS-CERT in its advisory recommends that control system devices don't directly face the Internet, sit behind firewalls, and are isolated from the corporate network. Remote access should be allowed only via virtual private networks, the advisory says.

Positive Security's Gordeychik also pointed out vulnerabilities his team had discovered in other Siemens products, many of which have since been fixed by the vendor. He says the team found bugs in Simatic WinCC 7.X, Simatic WinCC Flexible HMI software for hardware panels, TIA Portal, KTP Family of HMI panels, and S7 PLCs.

The vulnerabilities can be used for stealing information, running code on an operator workstation in client- or server-side attacks, reading files, grabbing and resetting passwords, uploading custom code to PLCs, and decrypting secured communications, he says.

Meanwhile, Gordeychik says the quality of security patches coming from Siemens has improved. "Previously, they were not quite that good. Now they are implementing an internal patch review process ... to see if that patch really patches something," for example, he says.

But most organizations don't bother patching. SCADA security experts estimate that about 10 to 20 percent of organizations today actually install patches that their vendors release.

"That's actually a huge problem," Siemens' Limmer says. He says that Siemens is working on ways to make patching easier on its customers, but would not elaborate on just what that would entail.

"Our goal is to help the customer out and find the best solution and help them in this patching problem," he says.

But patching and best practices are obviously just one part of the equation in SCADA security. "The first step is for vendors to offer products that are secure, especially on the controller side," says Dale Peterson, CEO of Digital Bond, which sponsored the S4 conference. "Then owners/operators [of industrial communications systems] will have a choice. But I have some customers who are upgrading their PLCs and had to buy insecure PLCs because there was no secure one they could buy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
1/14/2014 | 7:30:08 AM
re: SCADA Password-Cracking Tool For Siemens S7 PLCs Released
we have siemens plc s7 2000 cpu.i want up loud program for backup but he show posward err
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...