Security Market Segment LS
Monday, 11 November 2019 11:33

Researchers reported to find backdoor in Siemens PLCs Featured

By
Researchers reported to find backdoor in Siemens PLCs

According to unconfirmed reports, there is a hidden access 'backdoor' in the Siemens SIMATIC S7-1200 PLC (programmable logic controller) which would give attackers access to any device.

If this is true, we strongly recommend that all Siemens s7-1200 devices be disconnected from any possible external access. Immediately.

Researchers at Germany's Ruhr University have reportedly discovered a vulnerability in the device's bootloader which would permit both cyber-attack and researcher access.

A number of outlets have written about the exploit, but none has offered any connection back to the original research. The only strong connection iTWire could locate was an abstract for a presentation at London's Blackhat conference in early December, which states:

"Siemens is a leading provider of industrial automation components for critical infrastructures, and their S7 PLC series is one of the most widely used PLCs in the industry. In recent years, Siemens integrated various security measures into their PLCs. This includes, among others, firmware integrity verification at boot time using a separate bootloader code. This code is baked in a separated SPI flash, and its firmware is not accessible via Siemens' website.

"In this talk, we present our investigation of the code running in the Siemens S7-1200 PLC bootloader and its security implications. Specifically, we will demonstrate that this bootloader, which to the best of our knowledge was running at least on Siemens S7-1200 PLCs since 2013, contains an undocumented "special access feature". This special access feature can be activated when the user sends a specific command via UART within the first half-second of the PLC booting. The special access feature provides functionalities such as limited read and writes to memory at boot time via the UART interface. We discovered that a combination of those protocol features could be exploited to execute arbitrary code in the PLC and dump the entire PLC memory using a cold-boot style attack. With that, this feature can be used to violate the existing security ecosystem established by Siemens. On a positive note, once discovered by the asset owner, this feature can also be used for good, e.g., as a forensic interface for Siemens PLCs."


iTWire has contacted the lead author of the Blackhat presentation for a copy of the report, however the following extracts are lifted from other reporting. They will be confirmed upon receipt of the original document.

In a rather large understatement, the experts prefer not to opine on the reason for this access-point but conclude that, "This is clearly a bad security practice; this feature gives anyone with sufficient knowledge access to the contents of memory, as well as the ability to overwrite data and extract information."

On the other hand, the vulnerability gave researchers a memory device forensic. "We managed to use this feature to access the contents of the PLC's memory, which could help in digital forensics investigation to detect malicious code. Although the company does not allow access to memory content under normal conditions, this is feasible using this access."

Siemens is reported to be aware of the problem and has announced the launch of a solution. They are reported as stating, "We are aware of the research of the experts of Ruhr University, regarding special hardware-based access on SIMATIC S7-1200 CPUs; our web application security teams are working to resolve the issue as soon as possible. We recommend that our users remain alert to any official update," however iTWire could find no record of this statement on their web site. Siemens has been contacted for further comment and confirmation.

It would appear that being part of the bootloader, it may not be possible for a software patch to remedy the situation and that a hardware replacement may be required. This has yet to be confirmed.

 

Read 3877 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




EXL AI IN ACTION VIRTUAL EVENT 20 MARCH 2025

Industry leaders are looking to transform their businesses and achieve measurable outcomes with AI.

As organisations across APAC navigate the complexities of AI adoption, this must-attend event brings together industry leaders, real-world demonstrations, and visionary panel discussions to bridge the gap between proof-of-concepts and enterprise-wide AI implementation.

Learn how to overcome common challenges in deploying AI at scale.​

Unlock cost savings, efficiency, and better customer experiences with AI.

Discover how industry expertise and data intelligence enable practical AI deployment.

Register for the event now!

REGISTER!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Security
Tagged under
David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Latest from David Heath

Related items

More in this category: « Kaspersky finds Platinum APT using new Windows backdoor Bootcamps to focus on challenges posed by regional cyber security »
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top

Subscribe to Newsletter

*  Enter the security code shown: img0

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments