An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.
Researchers at Ruhr University Bochum in Germany stumbled across the hardware-based special access feature in Siemens' S7-1200 PLCs while studying its bootloader, which, among other things, handles software updates and verifies the integrity of the PLC's firmware when the device starts up.
They found that an attacker using the special access feature could bypass the bootloader's firmware integrity check within a half-second window when the PLC starts up and load malicious code to wrest control of the PLC's processes.
Just why the special access feature resides in the PLCs remains a mystery. There have been cases of embedded devices found harboring hidden maintenance ports left behind by vendors, for example, but the researchers were baffled by the existence of this one in the Siemens PLCs.
"We don't know why [Siemens has] this functionality," says Ali Abbasi, a research scholar at Ruhr-University Bochum, who, along with PhD student Tobias Scharnowski and professor Thorsten Holz, worked on the research. "Security-wise, it's wrong to have such a thing because you can also read and write to memory and dump the content of memory from the RAM."
The researchers shared their findings with Siemens, which says it's working on a fix for the vulnerability.
"Siemens is aware of the research from Ruhr University Bochum concerning hardware-based special access in SIMATIC S7-1200 CPUs. Siemens experts are working on a solution to resolve the issue. Siemens plans to publish further information regarding the vulnerability with a security advisory," the company said in a statement provided to Dark Reading. "Customers will be informed using the usual Siemens ProductCERT communication channels."
A key question is whether the fix requires a hardware replacement rather than a software update. When asked whether the PLC fix would be a software or hardware update, Siemens said its "experts are evaluating the alternatives."
But it turns out there is a silver lining with the Siemens PLC special access feature: "It's also useful for people like us who protect these devices. It provides for memory forensics of the PLC," Abbasi says.
The researchers were able to use the special access feature to view the content of the PLC memory, which means a plant operator could spot malicious code that may have been planted on his or her device. "Siemens doesn't let you see the content of the [PLC] memory, but you can do that with this special access feature," Abbasi says.
The researchers built a tool that performs this forensic memory dump, which they will release at Black Hat Europe next month in London when they will present their research findings
What They Did
The researchers were able to write their own code to the PLC's flash chip via its firmware update feature without the bootloader's checksum feature detecting it. The question, they say, is how to mitigate this type of attack since malicious code would be embedded into the flash memory of the bootloader.
"It really depends if Siemens can fix it via a software update or not. If they can with software, it also means the attacker can override the contents of the bootloader, which means there's no way to fix it," Abbasi says.
That's one reason the researchers wanted to release their tool for dumping contents of the firmware. "That then means an attacker can't hide his existence" in the PLC, Abbasi says.
An attacker with physical access to the port, or by rigging the PLC while it's being manufactured in the supply chain, could use this technique to read and write to the memory of the hardware. That would allow him or her to manipulate the operation of the PLC, providing phony measurements or other instrumentation data, for example.
"One of the main issues is there's this notion of trust in a newly delivered PLC," Scharnowski says.
He notes that it's not the special access feature itself that allows you to read and write to the flash. "It's a combination of features that if you put them together in a clever way, you can use them to get your own code execution on it," Scharnowski says. "If you can do that, then you can control the PLC fully."
Props for Siemens Security
The researchers say they chose to study Siemens' PLCs because it's one of the market leaders and also because there's little known publicly about the PLC's operating system, Adonis.
While many embedded systems today remain poorly secured, they say Siemens has done more with security than some other vendors.
"Honestly, if you compare them to other PLCs, they are doing very well. They keep adding features and security features that we have to bypass," Abbasi says. "They are doing a lot of good things that place them ahead of others in the embedded security domain."
Even so, the researchers maintain there's a lot more work to do in protecting plant operators from attackers or supply chain corruption of their PLCs. If there's a special feature like the one in Siemens PLCs, they say, the vendor should inform their customers. "Customers deserve to know so in their risk calculation they can consider this risk as well," Abbasi says.
The Ruhr University Bochum team's work is the latest in a string of PLC research projects. This summer another team of security researchers built a phony engineering workstation that was able to dupe and alter operations of the Siemens S7 programmable logic controller (PLC) after discovering that modern S7 PLC families running the same firmware also share the same public cryptographic key.
And in 2016, Abbasi, then a Ph.D. candidate at University of Twente, Netherlands, and Majid Hashemi, a system programmer and independent security researcher at the time of their research, created a PLC rootkit that could operate on any brand of PLC.