Security Market Segment LS
Monday, 11 November 2019 11:33

Researchers reported to find backdoor in Siemens PLCs Featured


According to unconfirmed reports, there is a hidden access 'backdoor' in the Siemens SIMATIC S7-1200 PLC (programmable logic controller) which would give attackers access to any device.

If this is true, we strongly recommend that all Siemens s7-1200 devices be disconnected from any possible external access. Immediately.

Researchers at Germany's Ruhr University have reportedly discovered a vulnerability in the device's bootloader which would permit both cyber-attack and researcher access.

A number of outlets have written about the exploit, but none has offered any connection back to the original research. The only strong connection iTWire could locate was an abstract for a presentation at London's Blackhat conference in early December, which states:

"Siemens is a leading provider of industrial automation components for critical infrastructures, and their S7 PLC series is one of the most widely used PLCs in the industry. In recent years, Siemens integrated various security measures into their PLCs. This includes, among others, firmware integrity verification at boot time using a separate bootloader code. This code is baked in a separated SPI flash, and its firmware is not accessible via Siemens' website.

"In this talk, we present our investigation of the code running in the Siemens S7-1200 PLC bootloader and its security implications. Specifically, we will demonstrate that this bootloader, which to the best of our knowledge was running at least on Siemens S7-1200 PLCs since 2013, contains an undocumented "special access feature". This special access feature can be activated when the user sends a specific command via UART within the first half-second of the PLC booting. The special access feature provides functionalities such as limited read and writes to memory at boot time via the UART interface. We discovered that a combination of those protocol features could be exploited to execute arbitrary code in the PLC and dump the entire PLC memory using a cold-boot style attack. With that, this feature can be used to violate the existing security ecosystem established by Siemens. On a positive note, once discovered by the asset owner, this feature can also be used for good, e.g., as a forensic interface for Siemens PLCs."

iTWire has contacted the lead author of the Blackhat presentation for a copy of the report, however the following extracts are lifted from other reporting. They will be confirmed upon receipt of the original document.

In a rather large understatement, the experts prefer not to opine on the reason for this access-point but conclude that, "This is clearly a bad security practice; this feature gives anyone with sufficient knowledge access to the contents of memory, as well as the ability to overwrite data and extract information."

On the other hand, the vulnerability gave researchers a memory device forensic. "We managed to use this feature to access the contents of the PLC's memory, which could help in digital forensics investigation to detect malicious code. Although the company does not allow access to memory content under normal conditions, this is feasible using this access."

Siemens is reported to be aware of the problem and has announced the launch of a solution. They are reported as stating, "We are aware of the research of the experts of Ruhr University, regarding special hardware-based access on SIMATIC S7-1200 CPUs; our web application security teams are working to resolve the issue as soon as possible. We recommend that our users remain alert to any official update," however iTWire could find no record of this statement on their web site. Siemens has been contacted for further comment and confirmation.

It would appear that being part of the bootloader, it may not be possible for a software patch to remedy the situation and that a hardware replacement may be required. This has yet to be confirmed.



As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments