If this is true, we strongly recommend that all Siemens s7-1200 devices be disconnected from any possible external access. Immediately.
Researchers at Germany's Ruhr University have reportedly discovered a vulnerability in the device's bootloader which would permit both cyber-attack and researcher access.
A number of outlets have written about the exploit, but none has offered any connection back to the original research. The only strong connection iTWire could locate was an abstract for a presentation at London's Blackhat conference in early December, which states:
"Siemens is a leading provider of industrial automation components for critical infrastructures, and their S7 PLC series is one of the most widely used PLCs in the industry. In recent years, Siemens integrated various security measures into their PLCs. This includes, among others, firmware integrity verification at boot time using a separate bootloader code. This code is baked in a separated SPI flash, and its firmware is not accessible via Siemens' website.
"In this talk, we present our investigation of the code running in the Siemens S7-1200 PLC bootloader and its security implications. Specifically, we will demonstrate that this bootloader, which to the best of our knowledge was running at least on Siemens S7-1200 PLCs since 2013, contains an undocumented "special access feature". This special access feature can be activated when the user sends a specific command via UART within the first half-second of the PLC booting. The special access feature provides functionalities such as limited read and writes to memory at boot time via the UART interface. We discovered that a combination of those protocol features could be exploited to execute arbitrary code in the PLC and dump the entire PLC memory using a cold-boot style attack. With that, this feature can be used to violate the existing security ecosystem established by Siemens. On a positive note, once discovered by the asset owner, this feature can also be used for good, e.g., as a forensic interface for Siemens PLCs."
iTWire has contacted the lead author of the Blackhat presentation for a copy of the report, however the following extracts are lifted from other reporting. They will be confirmed upon receipt of the original document.
In a rather large understatement, the experts prefer not to opine on the reason for this access-point but conclude that, "This is clearly a bad security practice; this feature gives anyone with sufficient knowledge access to the contents of memory, as well as the ability to overwrite data and extract information."
On the other hand, the vulnerability gave researchers a memory device forensic. "We managed to use this feature to access the contents of the PLC's memory, which could help in digital forensics investigation to detect malicious code. Although the company does not allow access to memory content under normal conditions, this is feasible using this access."
Siemens is reported to be aware of the problem and has announced the launch of a solution. They are reported as stating, "We are aware of the research of the experts of Ruhr University, regarding special hardware-based access on SIMATIC S7-1200 CPUs; our web application security teams are working to resolve the issue as soon as possible. We recommend that our users remain alert to any official update," however iTWire could find no record of this statement on their web site. Siemens has been contacted for further comment and confirmation.
It would appear that being part of the bootloader, it may not be possible for a software patch to remedy the situation and that a hardware replacement may be required. This has yet to be confirmed.