05 August 2011, 16:25

Siemens comments on "SCADA monkeys"

Security researcher Dillon Beresford has discovered various flaws in Siemens' PLC (Programmable Logic Controller) systems SIMATIC S7-200, S7-300, S7-400 and S7-1200. He performed the attacks live for the first time at the 2011 Black Hat security conference.

During the presentation, Thomas Brandstetter of Siemens CERT briefly took the stage with Beresford and said, "At some point you really have to accept that there are vulnerabilities in your products, and even monkeys. Accepting this was the first step in order to be able to handle this professionally." Professional handling apparently does not rule out humour. During the presentation, Brandstetter and Beresford both wore T-shirts based on an image from the S7-PLC's web server with the word "Pwned" on the back.

S7-PLCs display monkeys on a particular page of the webserver when accessed over HTTP. The three animated monkeys were shown along with a sentence in German roughly equivalent to "Not hearing, not working, just...". Beresford says that, as well as the web server, there is a telnet service that is only protected by a preset username and password combination, with the password being "basisk".

Beresford referred to these services several times as a backdoor, but Brandstetter told The H's associates at heise Security: "there is no backdoor in the PLCs, but rather a command-line and web server that developers installed for testing and debugging purposes." He says it was a mistake for the servers to have been kept in older versions of the firmware, but all of these problems have since been fixed with recent updates.

However, the firmware updates have apparently not remedied the problems on all models of the S7-PLC family; Beresford says that the latest firmware version was installed on the PLCs used for the demonstration, and all of the flaws and the backdoor could still be exploited. In his demo, Beresford used a number of Metasploit modules that he specifically programmed for attacks on S7 hardware, for instance, the modules can read the PLC's password-protected memory and allow changes to be made to it. Even when there is an effective update for the PLC software, the widely used S7 PLCs will probably remain vulnerable for quite some time. Users will typically wait for the system’s maintenance window to install the update, and one PLC expert says that could take up to 18 months.