Security Market Segment LS
Monday, 11 November 2019 11:33

Researchers reported to find backdoor in Siemens PLCs Featured


According to unconfirmed reports, there is a hidden access 'backdoor' in the Siemens SIMATIC S7-1200 PLC (programmable logic controller) which would give attackers access to any device.

If this is true, we strongly recommend that all Siemens s7-1200 devices be disconnected from any possible external access. Immediately.

Researchers at Germany's Ruhr University have reportedly discovered a vulnerability in the device's bootloader which would permit both cyber-attack and researcher access.

A number of outlets have written about the exploit, but none has offered any connection back to the original research. The only strong connection iTWire could locate was an abstract for a presentation at London's Blackhat conference in early December, which states:

"Siemens is a leading provider of industrial automation components for critical infrastructures, and their S7 PLC series is one of the most widely used PLCs in the industry. In recent years, Siemens integrated various security measures into their PLCs. This includes, among others, firmware integrity verification at boot time using a separate bootloader code. This code is baked in a separated SPI flash, and its firmware is not accessible via Siemens' website.

"In this talk, we present our investigation of the code running in the Siemens S7-1200 PLC bootloader and its security implications. Specifically, we will demonstrate that this bootloader, which to the best of our knowledge was running at least on Siemens S7-1200 PLCs since 2013, contains an undocumented "special access feature". This special access feature can be activated when the user sends a specific command via UART within the first half-second of the PLC booting. The special access feature provides functionalities such as limited read and writes to memory at boot time via the UART interface. We discovered that a combination of those protocol features could be exploited to execute arbitrary code in the PLC and dump the entire PLC memory using a cold-boot style attack. With that, this feature can be used to violate the existing security ecosystem established by Siemens. On a positive note, once discovered by the asset owner, this feature can also be used for good, e.g., as a forensic interface for Siemens PLCs."

iTWire has contacted the lead author of the Blackhat presentation for a copy of the report, however the following extracts are lifted from other reporting. They will be confirmed upon receipt of the original document.

In a rather large understatement, the experts prefer not to opine on the reason for this access-point but conclude that, "This is clearly a bad security practice; this feature gives anyone with sufficient knowledge access to the contents of memory, as well as the ability to overwrite data and extract information."

On the other hand, the vulnerability gave researchers a memory device forensic. "We managed to use this feature to access the contents of the PLC's memory, which could help in digital forensics investigation to detect malicious code. Although the company does not allow access to memory content under normal conditions, this is feasible using this access."

Siemens is reported to be aware of the problem and has announced the launch of a solution. They are reported as stating, "We are aware of the research of the experts of Ruhr University, regarding special hardware-based access on SIMATIC S7-1200 CPUs; our web application security teams are working to resolve the issue as soon as possible. We recommend that our users remain alert to any official update," however iTWire could find no record of this statement on their web site. Siemens has been contacted for further comment and confirmation.

It would appear that being part of the bootloader, it may not be possible for a software patch to remedy the situation and that a hardware replacement may be required. This has yet to be confirmed.



26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments