Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:45 PM
Connect Directly

Siemens PLC Feature Can Be Exploited for Evil - and for Good

A hidden feature in some newer models of the vendor's programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it.

An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.

Researchers at Ruhr University Bochum in Germany stumbled across the hardware-based special access feature in Siemens' S7-1200 PLCs while studying its bootloader, which, among other things, handles software updates and verifies the integrity of the PLC's firmware when the device starts up.

They found that an attacker using the special access feature could bypass the bootloader's firmware integrity check within a half-second window when the PLC starts up and load malicious code to wrest control of the PLC's processes.

Just why the special access feature resides in the PLCs remains a mystery. There have been cases of embedded devices found harboring hidden maintenance ports left behind by vendors, for example, but the researchers were baffled by the existence of this one in the Siemens PLCs.

"We don't know why [Siemens has] this functionality," says Ali Abbasi, a research scholar at Ruhr-University Bochum, who, along with PhD student Tobias Scharnowski and professor Thorsten Holz, worked on the research. "Security-wise, it's wrong to have such a thing because you can also read and write to memory and dump the content of memory from the RAM."

The researchers shared their findings with Siemens, which says it's working on a fix for the vulnerability.

"Siemens is aware of the research from Ruhr University Bochum concerning hardware-based special access in SIMATIC S7-1200 CPUs. Siemens experts are working on a solution to resolve the issue. Siemens plans to publish further information regarding the vulnerability with a security advisory," the company said in a statement provided to Dark Reading. "Customers will be informed using the usual Siemens ProductCERT communication channels." 

A key question is whether the fix requires a hardware replacement rather than a software update. When asked whether the PLC fix would be a software or hardware update, Siemens said its "experts are evaluating the alternatives."

But it turns out there is a silver lining with the Siemens PLC special access feature: "It's also useful for people like us who protect these devices. It provides for memory forensics of the PLC," Abbasi says.

The researchers were able to use the special access feature to view the content of the PLC memory, which means a plant operator could spot malicious code that may have been planted on his or her device. "Siemens doesn't let you see the content of the [PLC] memory, but you can do that with this special access feature," Abbasi says.

The researchers built a tool that performs this forensic memory dump, which they will release at Black Hat Europe next month in London when they will present their research findings

What They Did
The researchers were able to write their own code to the PLC's flash chip via its firmware update feature without the bootloader's checksum feature detecting it. The question, they say, is how to mitigate this type of attack since malicious code would be embedded into the flash memory of the bootloader.

"It really depends if Siemens can fix it via a software update or not. If they can with software, it also means the attacker can override the contents of the bootloader, which means there's no way to fix it," Abbasi says.

That's one reason the researchers wanted to release their tool for dumping contents of the firmware. "That then means an attacker can't hide his existence" in the PLC, Abbasi says.

An attacker with physical access to the port, or by rigging the PLC while it's being manufactured in the supply chain, could use this technique to read and write to the memory of the hardware. That would allow him or her to manipulate the operation of the PLC, providing phony measurements or other instrumentation data, for example.

"One of the main issues is there's this notion of trust in a newly delivered PLC," Scharnowski says.

He notes that it's not the special access feature itself that allows you to read and write to the flash. "It's a combination of features that if you put them together in a clever way, you can use them to get your own code execution on it," Scharnowski says. "If you can do that, then you can control the PLC fully."

Props for Siemens Security
The researchers say they chose to study Siemens' PLCs because it's one of the market leaders and also because there's little known publicly about the PLC's operating system, Adonis.

While many embedded systems today remain poorly secured, they say Siemens has done more with security than some other vendors.

"Honestly, if you compare them to other PLCs, they are doing very well. They keep adding features and security features that we have to bypass," Abbasi says. "They are doing a lot of good things that place them ahead of others in the embedded security domain."

Even so, the researchers maintain there's a lot more work to do in protecting plant operators from attackers or supply chain corruption of their PLCs. If there's a special feature like the one in Siemens PLCs, they say, the vendor should inform their customers. "Customers deserve to know so in their risk calculation they can consider this risk as well," Abbasi says.

The Ruhr University Bochum team's work is the latest in a string of PLC research projects. This summer another team of security researchers built a phony engineering workstation that was able to dupe and alter operations of the Siemens S7 programmable logic controller (PLC) after discovering that modern S7 PLC families running the same firmware also share the same public cryptographic key. 

And in 2016, Abbasi, then a Ph.D. candidate at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, created a PLC rootkit that could operate on any brand of PLC.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.