Slashdot Mirror
DOS, Backdoor, and Easter Egg Found In Siemens S7
chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."
It's ironic that they found a backdoor because once someone (person or organization) takes advantage of these security hole Siemens' customers will be taking it "in the backdoor".
Here I was looking forward to hearing about someone playing Zork on an S7.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
They found DOS there? I didn't know Siemens S7 was running under ancient operating systems. :-)
The Tao of math: The numbers you can count are not the real numbers.
as I'm myself German I'm allowed to say that this is one of the most irritating attributes. TFA about the easter egg quotes one researcher with:
They weren’t exactly happy. Considering where these devices are deployed, they didn’t think it was very funny.
Easter eggs are cool, the flight simulator was the best feature in Excel 97(?).
Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.
SJW: Someone who has run out of real oppression, and has to fake it.
... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?
FTA:
"Beresford had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.
Heâ(TM)s been working with DHSâ(TM)s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, to validate and disclose the vulnerabilities and plans to withhold some information, as well as actual exploit code, until Siemens has a chance to patch the vulnerabilities that can be fixed".
"Kill 'em all and let Root sort 'em out"
Seriously, does anyone pentest software anymore?
I didn't know Siemens S7 was running under ancient operating systems. :-)
I don't know about S7, never having used it. But you might be surprised about what sort of real-time control systems still run on operating systems like DOS, using the operating system solely as a vehicle for occasional access to storage, because DOS lets the program take over so much of the computer's execution. Google embedded dos and be surprised.
Nice. Although I have to say I am not surprised. Software is just an after thought for these guys. They are more interested in the industrial aspects and have to have software to "make it go..."
The developers that code the software that runs SCADA (system control and data aquisition) and PID (proportional/integral/differential) controllers are usually more concerned about massaging bytes into bits the hardware will understand, avoiding logic races, and optimizing code for both size and speed, rather than worrying about remote exploits. 32k of memory isn't unheard of (note, k is an old computer term meaning kilobyte, and it takes 1024 of these kilobytes to make a lowly Megabyte, and of course 1024 Megabytes makes the old Gigabyte, and 1024 Gigabytes makes the Terabyte that most of you are most familiar with. A lot of the software that ladder logic. Security is second fiddle.
...from SIEMENS that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.
Hell, this is a company whose senior software engineers in their corporate research center(s) think you need to use Tomcat in order to have a client talk to a server (apparently they don't actually know/understand how to use a socket themselves - no shit.)
Loading...
Can we please get over the usual comments of "Why are these even connected to the Internet??!?!?!?"
As TFA points out, even air gapping the control and business networks doesn't always work. And in every plant I have worked in (except one*) over the last XXX number of years, I have been freely allowed to load up any file I wanted (using my own USB flash drive) into the control network. I believe my equipment is free of viruses, but with the sophistication of Stuxnet, who can tell what the next generation of industrial sabotage tools will be like and if/how they can be detected by current technology. So I can only assume that I have not caused any issues for my clients.
[*] The exception was a plant where there was some controls software running on a VM that was on a server under control of the IT department. The only way *I* could get files onto that box was to upload them to a public directory and let the corporate system check them and drop them off on the other side of the firewall. Unless of course I handed by USB key to the client and said "Can you directly drop these files on the server for me???"
I am Slashdot. Are you Slashdot as well?
What's this about seamen in the back door?
Allen Bradley CEO sees $$$$$$$
...from SIEMENS^D^D^D^D^D^D^D GE^D^D Invensys^D^D^D^D^D^D^D^D GE^D^D Bailey^D^D^D^D^D^D Toshiba^D^D^D^D^D^D^D GE^D^D [*] and several other firms that will remain un-named for now that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.
[*] I've worked with multiple GE divisions.
I am Slashdot. Are you Slashdot as well?
I worked for Siemens for a few months in their Vienna Software Development center after graduating from college and I can say one thing: never since have I seen such a collection of average, non-interested and downright incompetent people working on large-scale software systems. The fact that Siemens builds machinery which runs our factories or even nuclear power plants should be cause for extreme Angst.
According to Digital Bond, Beresford's PLC runs Linux. Cue the GPL requests for Siemen's source code now (I wonder if the backdoor username and password are hard-coded into a GPL's utility :)).
Disclosure: I work for Digital Bond.
Reid
The Right Reverend K. Reid Wightman,
Now I really don't like PLC's :-). Computers win again!!!!! HAHAHA
I blame Wayne Knight. If he had been a bit thinner, perhaps with a German accent, and been less bumbling, maybe the world would THINK about the means it uses to keep various carnivorous dinosaurs from leaving their security enclosures. And Crichton should have named the character von Nedry-Schleswig, or something. You've got to take the bad guys seriously if you have NO IDEA how they do their evil plans. No, no metaphors at all in that paragraph.
"Sufficiently complicated financial instruments are indistinguishable from fraud." --bmcraec
These are the exploits needed to topple governments, infrastructures, and peoples. These vulnerabilities are exactly why the US had better get the handle on the cyberspace war or else we are finished.
Apparently the industry learned little from the whole Y2K thing. This is worse. (It may not matter if your elevator controller knows what year it is, although I can see where it might for your reactor control system (adjusting for changing isotope ratios as fuel burns, for example). It matters to both if they're accessible via backdoors or prone to malware.)
I think what's needed is a Y2K-like effort to clean up infrastructure code, perhaps motivated by a government-set deadline beyond which civil and criminal liability increases steeply.
I used to work for an OEM that produced Die Cast and Injection Molding machines.. We (the support team) tried to warn them years ago about specific vulnerabilities but no one listened. This is a serious issue as someone could gain access to the machine and operate it without knowing if someone was between the platens or in the link housing performing maintenance.
But when was it decided to connect industrial systems like this to the internet at all? Didn't isolation (or at least isolated networks) used to be the norm? I have to say if I was running a robot that build cars or a machine that controls nuclear material I would definitely not connect it to the internet or even a companies L.A.N..
Not that it makes these problems unimportant, but everyone seems to be overlooking the obvious basic bumble of connecting a critical system to a public network.
down down down
this is so much hype. seriously, who is going to take the time to hack this kind of hardware. it's not like you see industrial machinery breaking because of-wait. what? what is this Stuxnet you speak of?
Anons need not reply. Questions end with a question mark.
I've said it before, semen and backdoors should not ever be used in teh same sentence!
No, it's information that's out there anyway. I have a problem with hard-coded passphrases and the serious vulnerabilities in critical equipment, not to mention their connectivity to public networks.
I had my share of work with Siemens. When you see people boast that they're "software engineers" and then see them struggle with VB, you know something is not quite right.
But hey, what do you expect? We got a good deal of our technical personnel (including programmers) from temp agencies, actually, from some point in 2000something, we could ONLY hire temp agency workers for tech work. You might imagine the average productivity when the average tenure is about 3 months (because no programmer actually has to stay with a temp agency for long, it's basically "just something to bridge real jobs"), and they were about as motivated as this suggests. Quite a few were "sick" every couple of days, usually suspiciously a few days before they tossed in the "up yours" letter and went away. The only people that stayed were the ones that couldn't get out of the temp job. I.e. the ones that couldn't even get past HR because even HR noticed how inapt they are.
Now take a wild guess what quality gets produced in such an environment.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They are still buying their centrifuges and pretty all equipment from outside. Iran doesn't have much choice. I am not going to point out that the russians did in a few years what has Iran so far taken decades. There might be a reason they are slow other then outside influences.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
DOS by itself does nothing. Disk access is deterministic under it.
Not if your underlying disk isn't deterministic. A hard drive might have thermal recalibration, sector remapping, spin retries, etc. Can something like RTKernel make disk access asynchronous so that the rest of the system can continue to run even if the disk is lagging?
My company uses the S7 PLCs a lot, and they are known to be 'vulnerable' when you have access to them over the network. That is by design, that is how you program them. It is like saying a Linux machine is vulnerable, because port 22 is open. Difference is that, because of limited resources, a PLC doesn't need username and password to log on to.
Which is the reason, PLCs are in a industrial ethernet, with extensive firewall and only accessible through VPN. But once you can connect to them over port 102, you can do anything you like with them: reprogram, start, stop, etc. So, how to fix this? Don't use the 102 port and program/debug/control them using the MPI port. Problem is, you need physical access and that can be problematic in some cases.
-- The Internet is a too slow way of doing things, you'd never do without it.