Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:45 PM
Connect Directly

Siemens PLC Feature Can Be Exploited for Evil - and for Good

A hidden feature in some newer models of the vendor's programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it.

An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.

Researchers at Ruhr University Bochum in Germany stumbled across the hardware-based special access feature in Siemens' S7-1200 PLCs while studying its bootloader, which, among other things, handles software updates and verifies the integrity of the PLC's firmware when the device starts up.

They found that an attacker using the special access feature could bypass the bootloader's firmware integrity check within a half-second window when the PLC starts up and load malicious code to wrest control of the PLC's processes.

Just why the special access feature resides in the PLCs remains a mystery. There have been cases of embedded devices found harboring hidden maintenance ports left behind by vendors, for example, but the researchers were baffled by the existence of this one in the Siemens PLCs.

"We don't know why [Siemens has] this functionality," says Ali Abbasi, a research scholar at Ruhr-University Bochum, who, along with PhD student Tobias Scharnowski and professor Thorsten Holz, worked on the research. "Security-wise, it's wrong to have such a thing because you can also read and write to memory and dump the content of memory from the RAM."

The researchers shared their findings with Siemens, which says it's working on a fix for the vulnerability.

"Siemens is aware of the research from Ruhr University Bochum concerning hardware-based special access in SIMATIC S7-1200 CPUs. Siemens experts are working on a solution to resolve the issue. Siemens plans to publish further information regarding the vulnerability with a security advisory," the company said in a statement provided to Dark Reading. "Customers will be informed using the usual Siemens ProductCERT communication channels." 

A key question is whether the fix requires a hardware replacement rather than a software update. When asked whether the PLC fix would be a software or hardware update, Siemens said its "experts are evaluating the alternatives."

But it turns out there is a silver lining with the Siemens PLC special access feature: "It's also useful for people like us who protect these devices. It provides for memory forensics of the PLC," Abbasi says.

The researchers were able to use the special access feature to view the content of the PLC memory, which means a plant operator could spot malicious code that may have been planted on his or her device. "Siemens doesn't let you see the content of the [PLC] memory, but you can do that with this special access feature," Abbasi says.

The researchers built a tool that performs this forensic memory dump, which they will release at Black Hat Europe next month in London when they will present their research findings

What They Did
The researchers were able to write their own code to the PLC's flash chip via its firmware update feature without the bootloader's checksum feature detecting it. The question, they say, is how to mitigate this type of attack since malicious code would be embedded into the flash memory of the bootloader.

"It really depends if Siemens can fix it via a software update or not. If they can with software, it also means the attacker can override the contents of the bootloader, which means there's no way to fix it," Abbasi says.

That's one reason the researchers wanted to release their tool for dumping contents of the firmware. "That then means an attacker can't hide his existence" in the PLC, Abbasi says.

An attacker with physical access to the port, or by rigging the PLC while it's being manufactured in the supply chain, could use this technique to read and write to the memory of the hardware. That would allow him or her to manipulate the operation of the PLC, providing phony measurements or other instrumentation data, for example.

"One of the main issues is there's this notion of trust in a newly delivered PLC," Scharnowski says.

He notes that it's not the special access feature itself that allows you to read and write to the flash. "It's a combination of features that if you put them together in a clever way, you can use them to get your own code execution on it," Scharnowski says. "If you can do that, then you can control the PLC fully."

Props for Siemens Security
The researchers say they chose to study Siemens' PLCs because it's one of the market leaders and also because there's little known publicly about the PLC's operating system, Adonis.

While many embedded systems today remain poorly secured, they say Siemens has done more with security than some other vendors.

"Honestly, if you compare them to other PLCs, they are doing very well. They keep adding features and security features that we have to bypass," Abbasi says. "They are doing a lot of good things that place them ahead of others in the embedded security domain."

Even so, the researchers maintain there's a lot more work to do in protecting plant operators from attackers or supply chain corruption of their PLCs. If there's a special feature like the one in Siemens PLCs, they say, the vendor should inform their customers. "Customers deserve to know so in their risk calculation they can consider this risk as well," Abbasi says.

The Ruhr University Bochum team's work is the latest in a string of PLC research projects. This summer another team of security researchers built a phony engineering workstation that was able to dupe and alter operations of the Siemens S7 programmable logic controller (PLC) after discovering that modern S7 PLC families running the same firmware also share the same public cryptographic key. 

And in 2016, Abbasi, then a Ph.D. candidate at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, created a PLC rootkit that could operate on any brand of PLC.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...