Siemens S7 PLCs Share Same Crypto Key Pair, Researchers Find

Siemens S7 PLCs Share Same Crypto Key Pair, Researchers Find
Researchers at Black Hat USA reveal how security authentication weaknesses in popular Siemens ICS family let them control a PLC.

BLACK HAT USA — Las Vegas — Security researchers who built a phony engineering workstation that was able to dupe  and alter — operations of the Siemens S7 programmable logic controller (PLC) found that modern S7 PLC families running the same firmware also share the same public cryptographic key, leaving the devices vulnerable to attacks like the ones they simulated.


"All PLCs of the same model have the same key, which means if you crack one, you've cracked all of them," said Avishai Wool, a professor at Tel Aviv University's School of Electrical Engineering, of the S7-1500 PLCs he and his fellow researchers studied. "So if you are able to talk to one of them, you are able to talk to all of them." 


Wool, Eli Biham and Sara Bitan of Technion, and Uriel Malin of Tel Aviv University reverse-engineered the S7's cryptographic protocol and were able to attack the S7-1500 PLC with a fake engineering workstation posing as a Siemens TIA (Totally Automated Integration Portation) system that forced the S7 to power on and off and follow other commands, as well as download rogue code. An attacker sending a rogue command to the PLC could cause a disruption to a plant's physical process, the researchers said.


They gained control of the PLC by surreptitiously downloading rogue command logic to the S7 PLC and hid it so that it was unnoticeable ..

Support the originator by clicking the read the rest link below.