Digging for Facts on the Siemens S7-1200 PLC Security Vulnerabilities, Part 1/3

The recent news that Dillon Beresford at NSS Labs had discovered somewhere between four and six serious vulnerabilities in the Siemens S7 PLC product has created quite a storm of news and concern for critical asset owners. Unfortunately, information on the range and severity of the vulnerabilities has been contradictory.

Let’s start with what products are affected. Beresford claims that even though the attacks were developed on an S7-1200, other models of the S7 are also vulnerable. Siemens appears to claim otherwise, stating “The S7-300 and S7-400 controllers are not affected by the denial-of-service scenario, so there is no need for any firmware update with these controllers.” And NSS Labs state that “There is a possibility that PLCs from other vendors are similarly affected.” That is quite a range of affected products…

Beresford and Siemens Disagree on which Products are Affected

The contradictions don’t stop there. In an interview with Wired Magazine, Beresford offered this comment:

“They’re very easy to exploit,” Beresford said. “As long as you have access to [a PLC's] network you will be able to exploit them.”

Meanwhile Siemens released its own statement:

"While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers…"

NSS now promises to share the whole story at the Black Hat Conference, which runs August 2-3 in Las Vegas. And Siemens is promising patches possibly as early as next week. Until then what is the truth?

Frankly, I don’t really know. However, we have been able to determine a few “facts” from the various Siemens and NSS notices. We have also come up with a few guesses and comments, which I will share below:

S7-1200 PLC Web Server Vulnerability

1.    FACT: The exploits were developed against the S7-1200 PLC, which is not the same as the S7-300 and S7-400 PLC lines. The S7-1200 is a micro-PLC that is more common in machine and skid control and unusual in large critical processes.

2.    FACT: At least one of the exploits is a Denial of Service (DoS) attack against S7-1200 PLC, via its integrated web server.

3.    GUESS: It is highly unlikely that this particular exploit is transferable to the S7-300 and S7-400 products. It might affect other vendors’ PLC products if the web server firmware is based on commercially available software. As I noted in another one of my blogs, PLC Security Risk: Controller Operating Systems, many ICS vendors purchase operating system and communications firmware components from 3rd party suppliers. These suppliers sell to many ICS product vendors, resulting in vulnerabilities that go beyond a single vendor.

4.    COMMENT: In some respects, this vulnerability is no surprise, but it is also a sad comment on the state of PLC product security testing.  Vulnerabilities in embedded web servers in controllers are legendary and often trivial to find. The S7-1200 was released less than two years ago and Siemens should have been testing for this sort of issue in their design and QA processes in a new product like this.

S7-1200 PLC Replay Attack and Memory Protection Attack Vulnerabilities

5.    FACT: Another of the vulnerabilities is a replay attack against S7-1200 PLC, using previously captured network traffic.

6.    FACT: A third vulnerability is a memory protection attack against S7-1200 PLC, allowing the  PLC memory to be modified using crafted packets.

7.    GUESS: Both of these vulnerabilities are probably design flaws in the hashing and message authentication (aka password) mechanism in the PLC. The programming messages are checked by the PLC to make sure they are for that PLC, but not if they are current messages. This means an attacker can capture valid messages, such as a PLC stop command, and then replay it at a later time when it suits his or her nefarious purposes.

8.    COMMENT: These vulnerabilities will likely extend to other S7 PLCs, as they are design flaws and not programming flaws. Notice that Siemens is very careful (some might say “sneaky”) in their wording on what products are affected – “The S7-300 and S7-400 controllers are not affected by the denial-of-service scenario.” They fail to mention this replay vulnerability.

S7-1200 PLC Clear Text Protocol Vulnerability

9.    GUESS: Based on the shopping list of possible consequences listed by NSS, the other vulnerabilities are likely due to the fact that the protocol the S7-1200 uses to communicate to HMIs is a clear text protocol. This is certainly not news in the ICS world – virtually every ICS/SCADA protocol used today is clear text.

10.    COMMENT: Chances are that all these vulnerabilities are not difficult to find or exploit and more are waiting for the next researcher. Despite Siemens’ comments, I really doubt Beresford had “special laboratory conditions" with "unlimited access to the protocols". Anyone can purchase an S7-1200 for a few hundred dollars and most of the tools are free.

Keep in mind that the above are based on my analysis of the public documents, not insider knowledge. I could be wrong on these guesses and comments – I certainly have been wrong before.

So what does this all mean for the SCADA and ICS industry? What does it mean for ICS professional’s responsible for the control system in a critical industrial plant?

I will discuss both in my next two blog articles. If you want to be automatically notified when those blogs are published, simply use the RSS or email blog subscription form in the upper right corner of this page.

Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

2

Awesome work, covering the facts, although there's more, this is a good representation of the vulnerabilities in the S7 controllers. You have done an excellent job focusing on key issues. I commend you for this.

-Dillon

a. Web security may make it harder for hackers to get in, but won’t keep adept hackers out. There exist holes in software to jump through for a hacker that understands programming.

b. A good programmer can figure out how control system software works and can change the code to do what they want it to do. It’s a matter then of finding a vulnerability to allow access to the control system to drop in and run the modified code.

c. With systems connected to the internet, hackers will always be at least one step ahead. Hackers have time to spend looking for application vulnerabilities. The people programming applications aren’t really good at secure coding practices, and even if they are, a hacker who understands coding can usually find a way around it.

d. As long as a system is communicating wired or wirelessly to other systems that are eventually communicating with the internet wired or wirelessly, they can be hacked.

Add new comment