An undocumented access feature in some newer models of Siemens programmable logic controllers (PLCs) can be used as both a weapon by attackers as well as a forensic tool for defenders, researchers have discovered.
Researchers at Ruhr University Bochum in Germany stumbled across the hardware-based special access feature in Siemens' S7-1200 PLCs while studying its bootloader, which, among other things, handles software updates and verifies the integrity of the PLC's firmware when the device starts up.
They found that an attacker using the special access feature could bypass the bootloader's firmware integrity check within a half-second window when the PLC starts up and load malicious code to wrest control of the PLC's processes.
Just why the special access feature resides in the PLCs remains a mystery. There have been cases of embedded devices found harboring hidden maintenance ports left behind by vendors, for example, but the researchers were baffled by the existence of this one in the Siemens PLCs.
"We don't know why [Siemens has] this functionality," says Ali Abbasi, a research scholar at Ruhr-University Bochum, who, along with PhD student Tobias Scharnowski and professor Thorsten Holz, worked on the research. "Security-wise, it's wrong to have such a thing because you can also read and write to memory and dump the content of memory from the RAM."
The researchers shared their findings with Siemens, which says it's working on a fix for the vulnerability.
"Siemens is aware of the research from Ruhr University Bochum concerning hardware-based special access in SIMATIC S7-1200 CPUs. Siemens experts are working on a ..
Support the originator by clicking the read the rest link below.
