Slashdot Mirror

← Back to Stories (view on slashdot.org)

DOS, Backdoor, and Easter Egg Found In Siemens S7

Posted by Unknown on from the punch-the-monkey dept.

chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."

20 of 121 comments (clear)

  1. Oh Good, A Backdoor by WrongSizeGlass · · Score: 2

    It's ironic that they found a backdoor because once someone (person or organization) takes advantage of these security hole Siemens' customers will be taking it "in the backdoor".

    1. Re:Oh Good, A Backdoor by wiedzmin · · Score: 2

      Considering that malware targeting Siemens' SCADA systems has been around since last year, I think there's been some backdoor action happening already... there is just no regulations that force industrial entities to release information about their breaches... or, it is entirely possible that industrial entities lack the IT staff and infrastructure to detect said breaches.

      --
      Bow before me, for I am root.
    2. Re:Oh Good, A Backdoor by tlhIngan · · Score: 4, Insightful

      Actually, I'd hazard a guess that MOST SCADA systems are vulnerable. These things weren't designed with security in mind - they're supposed to run off closed networks separated from the Internet (easily done - most of these things predate the Internet).

      Heck, the biggest "security issue" would've been access via OPC ("OLE for Process Control" - yes, that same stuff Microsoft touted - "Object Linking and Embedding" from Windows 3.x).

      And yeah, most industrial entities probably lack the proper IT team and infrastructure - after all, most of their work involved keeping the network up and running for the controllers, keeping OPC working. The someone demands Internet connectivity on their desktop and they set up routers and firewalls (and don't know about stuff like data diodes).

      Basically, stuff that was never designed for security ends up on the Internet.

  2. Oh, THAT DOS... by damn_registrars · · Score: 2

    Here I was looking forward to hearing about someone playing Zork on an S7.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  3. Gee thanks Mossad by elrous0 · · Score: 2

    Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
    1. Re:Gee thanks Mossad by Anubis350 · · Score: 3, Insightful

      I'm going to argue that Siemens created the problem by failing to secure their work against some rather embarrassing vulnerabilities. You think that if Stuxnet hadn't been created no-one would have eventually found these? Possible, I suppose, but doubtful, I mean someone had to be thinking along those lines in order to create stuxnet in the first place, and if one team can than so can another

      --
      "goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
  4. Re:Germans and humour... by geekoid · · Score: 5, Insightful

    Adding more code to critical systems is NOT COOL. More bugs, more exploit. SCADA systems need to be developed by people who understand and enforce proper engineering and professionalism. This teenage hacker shot does NOT belong there.

    IF the software industry would start enforcing engineering principles, most of these messes would even exist.

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
  5. Only quickly scanned TFA.... by LordStormes · · Score: 2

    ... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?

    1. Re:Only quickly scanned TFA.... by gregfortune · · Score: 2

      That's a little naive. I can promise you PLCs running unpatched versions of software are running accessible from the internet and no amount of "You shouldn't have done that, dummy" is going to magically secure them overnight. The reality is that our industry simply isn't as security conscious as it needs to be and while some of us recognize the PLC systems should be air-gapped anyway, I doubt that's the norm.

      If your power goes out tonight, I'm going to smile a little inside. Deserved?

  6. Need a new scanner... by MRe_nl · · Score: 3

    FTA:
    "Beresford had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.

    Heâ(TM)s been working with DHSâ(TM)s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, to validate and disclose the vulnerabilities and plans to withhold some information, as well as actual exploit code, until Siemens has a chance to patch the vulnerabilities that can be fixed".

    --
    "Kill 'em all and let Root sort 'em out"
  7. Re:Germans and humour... by Infiniti2000 · · Score: 4, Insightful

    Easter eggs are cool

    No, Easter eggs (in software) are not cool. They cause problems in many ways.

    1. Once discovered, they cause embarrassment to the employer.
    2. They're a waste of resources (money) to the employer. The waste includes: time and money to actually implement or at a minimum opportunity cost for not working on real products, money spent removing the eggs, money spent repairing field items or possibly recall.
    3. If discovered, the employee faces potentially significant consequences. Obviously, this is likely termination, but depending on the length of employment and other facts, this could also severely affect future employment opportunities.
    4. This may do irreparable harm to the reputation of the employer. This could be long-lasting, too, as evidenced by your recollection of the Excel egg.
    5. The egg itself may be a source of a security vulnerability.
    6. The egg itself may have bugs and (besides a security vulnerability as mentioned above) cause a crash of the system.
  8. Embedded systems may not need much of an OS by tepples · · Score: 5, Interesting

    I didn't know Siemens S7 was running under ancient operating systems. :-)

    I don't know about S7, never having used it. But you might be surprised about what sort of real-time control systems still run on operating systems like DOS, using the operating system solely as a vehicle for occasional access to storage, because DOS lets the program take over so much of the computer's execution. Google embedded dos and be surprised.

  9. Re:Germans and humour... by Anonymous Coward · · Score: 2, Insightful

    As I'm myself working for a grid operator I'm allowed to say that easter eggs in word processors and spreadsheets are one thing, and easter eggs in critical infrastructure control systems are quite another. Hopefully everyone can agree an easter egg in the software that controls the space shuttle would not be amusing either...

  10. Having personally worked with "software engineers" by Assmasher · · Score: 2

    ...from SIEMENS that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.

    Hell, this is a company whose senior software engineers in their corporate research center(s) think you need to use Tomcat in order to have a client talk to a server (apparently they don't actually know/understand how to use a socket themselves - no shit.)

    --
    Loading...
  11. Queue Comments on Internet .. 3 .. 2 .. 1 by OzPeter · · Score: 4, Interesting

    Can we please get over the usual comments of "Why are these even connected to the Internet??!?!?!?"

    As TFA points out, even air gapping the control and business networks doesn't always work. And in every plant I have worked in (except one*) over the last XXX number of years, I have been freely allowed to load up any file I wanted (using my own USB flash drive) into the control network. I believe my equipment is free of viruses, but with the sophistication of Stuxnet, who can tell what the next generation of industrial sabotage tools will be like and if/how they can be detected by current technology. So I can only assume that I have not caused any issues for my clients.

    [*] The exception was a plant where there was some controls software running on a VM that was on a server under control of the IT department. The only way *I* could get files onto that box was to upload them to a public directory and let the corporate system check them and drop them off on the other side of the firewall. Unless of course I handed by USB key to the client and said "Can you directly drop these files on the server for me???"

    --
    I am Slashdot. Are you Slashdot as well?
  12. AB Logix by Is0m0rph · · Score: 2

    Allen Bradley CEO sees $$$$$$$

  13. Re:Having personally worked with "software enginee by OzPeter · · Score: 2

    ...from SIEMENS^D^D^D^D^D^D^D GE^D^D Invensys^D^D^D^D^D^D^D^D GE^D^D Bailey^D^D^D^D^D^D Toshiba^D^D^D^D^D^D^D GE^D^D [*] and several other firms that will remain un-named for now that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.

    [*] I've worked with multiple GE divisions.

    --
    I am Slashdot. Are you Slashdot as well?
  14. Re:Germans and humour... by Kyusaku+Natsume · · Score: 2

    This is more like the one that did the easter egg was venting out a lot of frustration than for fun. I had a friend that worked for Siemens that were treated by the local managers and the german leadership worst than shit. One of their common answers were "we don't care if you don't like it because we have 50 engineers at the door begging for your post and we will pay them less than what we pay you." If the corporate culture is the same in all off Siemens is no wonder that their products get done so bad at the end of the day.

    --
    Mexico: 100% conservative's America now!
  15. Re:Germans and humour... by Gilmoure · · Score: 2

    Engineering standards and accreditation for coders?

    --
    I drank what? -- Socrates
  16. Re:Germans and humour... by slashqwerty · · Score: 2

    Call me crazy but a piece of non-executable code in a HTML file on a partition in the firmware does not sound a) exploitable, or b) critical.

    Something has to process the HTML file. HTML is a complex standard -- far more so than plain text. An HTML rendering engine needs code to process every tag it supports.

    I remember back in the day when the Goodtimes virius hoax was making the rounds. Software professionals were incredulous that people actually believed it was possible to catch a virus simply by reading email. Yet a few years later viruses started popping up that exploited security holes in email clients.

    Back to the subject of HTML, here are a few security vulnerabilities in HTML rendering engines:

    Siemens is taking the issue seriously.

    While the Easter egg may have simply been a developer's idea of fun, Beresford says he's still examining it to see if it's possible to send commands through the html page back to the PLC.