Forgot your password?
typodupeerror
Security IT

DOS, Backdoor, and Easter Egg Found In Siemens S7 121

Posted by Unknown Lamer
from the punch-the-monkey dept.
chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."
This discussion has been archived. No new comments can be posted.

DOS, Backdoor, and Easter Egg Found In Siemens S7

Comments Filter:
  • by WrongSizeGlass (838941) on Thursday August 04, 2011 @11:49AM (#36986560)
    It's ironic that they found a backdoor because once someone (person or organization) takes advantage of these security hole Siemens' customers will be taking it "in the backdoor".
    • by wiedzmin (1269816)
      Considering that malware targeting Siemens' SCADA systems has been around since last year, I think there's been some backdoor action happening already... there is just no regulations that force industrial entities to release information about their breaches... or, it is entirely possible that industrial entities lack the IT staff and infrastructure to detect said breaches.
      • by geekoid (135745)

        Depends. Government agency will disclose that information. There are guidelines you need to follow.

        Private corporations don't.

        • by slick7 (1703596)

          Depends. Government agency will disclose that information. There are guidelines you need to follow.

          Private corporations don't.

          Unless that government is Israel and their Stuxnet program. Don't piss them off or suffer the fate of Japan.
          The reactors along the New Madrid fault use Sieman's SCADA systems, don't they?

      • Considering that malware targeting Siemens' SCADA systems has been around since last year

        I'd have thought Siemens would have learned something from the hardcoded passwords that allowed Stuxnet to proliferate. Of course, I'd be wrong again.

        • by RockDoctor (15477)
          Siemens could have learned a lot from the Stuxnet episode.

          That wouldn't change the installed base though. And it is unlikely to get much of that base patched. "What do you mean, shut the factory down because you need to install some new software? You had your opportunity last October ; you'll get your next opportunity next October. You get one day. Test system? I dunno. You tell me where the test system is ; I know I haven't got room for one here. You must be new here. Just hired last week eh? The last guy

      • by tlhIngan (30335) <(ten.frow) (ta) (todhsals)> on Thursday August 04, 2011 @12:14PM (#36986918)

        Actually, I'd hazard a guess that MOST SCADA systems are vulnerable. These things weren't designed with security in mind - they're supposed to run off closed networks separated from the Internet (easily done - most of these things predate the Internet).

        Heck, the biggest "security issue" would've been access via OPC ("OLE for Process Control" - yes, that same stuff Microsoft touted - "Object Linking and Embedding" from Windows 3.x).

        And yeah, most industrial entities probably lack the proper IT team and infrastructure - after all, most of their work involved keeping the network up and running for the controllers, keeping OPC working. The someone demands Internet connectivity on their desktop and they set up routers and firewalls (and don't know about stuff like data diodes).

        Basically, stuff that was never designed for security ends up on the Internet.

        • by Gilmoure (18428)

          Basically, stuff that was never designed for security ends up on the Internet.

          Oh, this is too easy.

        • by Synerg1y (2169962)

          I am still scratching my head as to how these machines are exactly web facing so that they could be remotely exploited? I have a hard time picturing a robotic arm with a web interface to control it. It would be more be a custom application on an embedded system. Did I mention embedded systems? They're a bit different from windows based systems on most occasions. Dunno, really can't follow the logic here, the only that should face the web should be non-employee based consumer websites for a business, ma

          • by tlhIngan (30335)

            I am still scratching my head as to how these machines are exactly web facing so that they could be remotely exploited? I have a hard time picturing a robotic arm with a web interface to control it. It would be more be a custom application on an embedded system. Did I mention embedded systems? They're a bit different from windows based systems on most occasions. Dunno, really can't follow the logic here, the only that should face the web should be non-employee based consumer websites for a business, maybe V

            • by rioki (1328185)
              Did I mention that a few of the Step 7 and WinCC components have Web-Frontends? Oh yes they do. Ok it's not the run time but the engineering and maintenance and you are supposed to secure them. But I can really imagine that going wrong.
    • by b0r1s (170449)
      Siemens hole has already been used to rape Iran (Stuxnet fun). Doesn't get much more rapey than that.
      • by Sulphur (1548251)

        Siemens hole has already been used to rape Iran (Stuxnet fun). Doesn't get much more rapey than that.

        Did you mean rapier?

    • Not just that, I assumed that it was always known that semens' code will spawn a child process.

    • even more so if the controller is controlling the locks on there back door :(
  • Here I was looking forward to hearing about someone playing Zork on an S7.
    • by Toe, The (545098)

      Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!

      • Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!

        Only if you still have that keyboard map/Rosetta stone they included. I think it was ctrl-option-shift-F13 to insert "WTF?"

      • Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!

        But that is productivity software; why would we want to load that on an industrial controller? It would be far more interesting to use it to play Doom instead...

  • They found DOS there? I didn't know Siemens S7 was running under ancient operating systems. :-)

    • by tepples (727027) <tepples@nOSpAM.gmail.com> on Thursday August 04, 2011 @12:11PM (#36986870) Homepage Journal

      I didn't know Siemens S7 was running under ancient operating systems. :-)

      I don't know about S7, never having used it. But you might be surprised about what sort of real-time control systems still run on operating systems like DOS, using the operating system solely as a vehicle for occasional access to storage, because DOS lets the program take over so much of the computer's execution. Google embedded dos [google.com] and be surprised.

      • by h4rr4r (612664)

        You would need something like RTKernel to give you a RTOS on DOS. It makes no such guarantees. Like you said, use the OS only for storage access.

  • as I'm myself German I'm allowed to say that this is one of the most irritating attributes. TFA about the easter egg quotes one researcher with:

    They weren’t exactly happy. Considering where these devices are deployed, they didn’t think it was very funny.

    Easter eggs are cool, the flight simulator was the best feature in Excel 97(?).

    • by geekoid (135745) <dadinportland@ya ... m minus math_god> on Thursday August 04, 2011 @11:59AM (#36986724) Homepage Journal

      Adding more code to critical systems is NOT COOL. More bugs, more exploit. SCADA systems need to be developed by people who understand and enforce proper engineering and professionalism. This teenage hacker shot does NOT belong there.

      IF the software industry would start enforcing engineering principles, most of these messes would even exist.

      • This teenage hacker shot does NOT belong there.

        Posting from an Android device, I presume? I hate when it censors me like that.. in 2.x it was easy to add words, but 3.01 does things differently..

        • by geekoid (135745)

          no. From Chrome on XP. It's a typo. Not the O's location and the I's location.

          I don't remember my Nexus S every editing out the word 'shit'.

          • by Anonymous Coward

            no. From Chrome on XP. It's a typo. Not the O's location and the I's location.

            I don't remember my Nexus S every editing out the word 'shit'.

            Well, at least it seems like the spell check works grate.

          • I noticed, it's just that it happens so often on my tablet that I had to check! When I make a typo on a real keyboard, my fingers tend to know before my eyes..

      • by Gilmoure (18428)

        Engineering standards and accreditation for coders?

        • by gl4ss (559668)

          Engineering standards and accreditation for coders?

          you really think that helps? if that was a silver bullet you'd think the germans wouldn't be in this now..

          what's "wrong" with the system is that their complexity is unnecessary, but complexity is good for jobs
          .

          think about the code that ran a fancy oven, refrigator, AC or such 15 years ago. the systems are pretty much as complex now but you need to have n+5 2.5ghz computers in the mix. to raise the budget and complexity. can't have germans selling on the cheap you know.

      • by thegarbz (1787294)

        Call me crazy but a piece of non-executable code in a HTML file on a partition in the firmware does not sound a) exploitable, or b) critical.

        I'd be far more concerned if the code were actually running on the PLC but it isn't. It's as innocuous as a help text file and needs to be copied to a computer to be executed. *yawn*

        • Call me crazy but a piece of non-executable code in a HTML file on a partition in the firmware does not sound a) exploitable, or b) critical.

          Something has to process the HTML file. HTML is a complex standard -- far more so than plain text. An HTML rendering engine needs code to process every tag it supports.

          I remember back in the day when the Goodtimes virius hoax [wikipedia.org] was making the rounds. Software professionals were incredulous that people actually believed it was possible to catch a virus simply by re

          • by thegarbz (1787294)

            Our arguments stem from two different assumptions. You're assuming the PLC has the ability to actually execute and render a HTML page, I'm assuming it doesn't and that the file was there amongst others as a hoax.

            My assumption only stems from the fact that I've never seen a PLC, SCADA system, or DCS which has actual web interfaces coded into the firmware. I haven't use S7 but I would be dumbfounded if they actually had such a thing especially given how much vendors of these devices love their 100% propriety

    • Easter eggs are cool, the flight simulator was the best feature in Excel 97(?).

      This Easter egg is just some monkeys dancing under some text that translates to 'All work and no play makes Jack a dull boy'. Who knows what it could have been had someone wanted to be a bit more sinister.

      • by Creepy (93888)

        Actually the text doesn't literally translate well (literally "hear nothing, work nothing, only simple"), but the funny thing is (unless I'm missing an idiom, which is possible) it seems to mean the opposite of that phrase - I translate it as more "hear nothing and do nothing makes you a simpleton."

    • At least the US government requires all software features be fully documented, and easter eggs, by their very nature, tend to qualify as an undocumented software feature. This is why MS doesn't tend to put them in anymore.
    • by Infiniti2000 (1720222) on Thursday August 04, 2011 @12:10PM (#36986846)

      Easter eggs are cool

      No, Easter eggs (in software) are not cool. They cause problems in many ways.

      1. Once discovered, they cause embarrassment to the employer.
      2. They're a waste of resources (money) to the employer. The waste includes: time and money to actually implement or at a minimum opportunity cost for not working on real products, money spent removing the eggs, money spent repairing field items or possibly recall.
      3. If discovered, the employee faces potentially significant consequences. Obviously, this is likely termination, but depending on the length of employment and other facts, this could also severely affect future employment opportunities.
      4. This may do irreparable harm to the reputation of the employer. This could be long-lasting, too, as evidenced by your recollection of the Excel egg.
      5. The egg itself may be a source of a security vulnerability.
      6. The egg itself may have bugs and (besides a security vulnerability as mentioned above) cause a crash of the system.
      • by Anonymous Coward

        Easter eggs without authorization from the employer is not cool. It's unprofessional to insert any code that your employer doesn't know about. Similarly, it should be a internally documented feature. If the employer knows about it, we've pretty much shattered most of your objections related to consequences to the employee.

        That said, the time and money spent on "not working on real products" is usually a good morale booster. People like working on little things like that, programmers enjoy humor. Money

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      As I'm myself working for a grid operator I'm allowed to say that easter eggs in word processors and spreadsheets are one thing, and easter eggs in critical infrastructure control systems are quite another. Hopefully everyone can agree an easter egg in the software that controls the space shuttle would not be amusing either...

      • I don't know that actually sounds pretty damn fun. I'm pretty sure I could fly it if the spawn point wasn't too far away. First thing I'd do is buzz the space station and give the astronauts in there something to talk about besides dried strawberries and Nintendo at 0 gravity.

        Hopefully easier than Lunar Lander...

    • by TBBle (72184)

      Easter Eggs may be cool. Easter Eggs your QA team, management and people who're actually customer-facing don't know about are less cool. Easter Eggs that blow up in your face, introduce vulnerabilities, or simply surprise the users of industrial control systems (used in nuclear reactors at that!) are pretty uncool.

      This one was of the second type, and not (as far as we know) the third type.

      It does reflect a concerningly non-professional attitude to the development of an industrial device, in my opinion.

    • This is more like the one that did the easter egg was venting out a lot of frustration than for fun. I had a friend that worked for Siemens that were treated by the local managers and the german leadership worst than shit. One of their common answers were "we don't care if you don't like it because we have 50 engineers at the door begging for your post and we will pay them less than what we pay you." If the corporate culture is the same in all off Siemens is no wonder that their products get done so bad at

  • by elrous0 (869638) * on Thursday August 04, 2011 @11:58AM (#36986698)

    Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.

    • by Anubis350 (772791) on Thursday August 04, 2011 @12:13PM (#36986902)
      I'm going to argue that Siemens created the problem by failing to secure their work against some rather embarrassing vulnerabilities. You think that if Stuxnet hadn't been created no-one would have eventually found these? Possible, I suppose, but doubtful, I mean someone had to be thinking along those lines in order to create stuxnet in the first place, and if one team can than so can another
      • Yeah these issues were well known before them.

        Fun fact: The PLCs that run the luggage systems at airports are usually controlled by modems, hooked up to secret numbers with NO AUTHENTICATION. See if you can figure out a number range used by an airport and wardial it (from a pay phone or a seedy motel of course). If you hit paydirt (you'll need a special tool to log in, standard stuff to anyone familiar with PLCs), you can make the luggage run backwards for epic lulz!

    • Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.

      Considering the tradeoff I'll take the giant pain in the ass any day. Those folks "running" Iran should most definitly NOT have access to enriched uranium.

      • by sjames (1099)

        They will get there anyway. This was a delay only. Only now they'll be MORE pissed off.

        • They will get there anyway. This was a delay only. Only now they'll be MORE pissed off.

          Queue the bombers. If they get that far Israel or USA will bomb their factory back to the stone age.

      • The tradeoff was that Iran learned very quickly how to recover from such a set-back, was able to become operational and self-sufficient very quickly, and has now implemented additional security mechanisms in their operations to try to avoid something like this in the future. This only made them stronger and more self-reliant. Whoops.

        Having said that, I still despise the Iranian leadership.

        • Having said that, I still despise the Iranian leadership

          Therein lies the problem. I suspect eventually there will be two outcomes to the Iranian leadership problem: Either the students/young people will rise up against the regime (history repeating itself) or somone will bomb their uranium plants (at least the one's we know about) back to the stone age.

          • Well said! And if those are truly the two only possible outcomes, I hope for the former. At least then, the young people of Iran can take control of their own destiny after having learned the harsh lessons of living under both a monarchy and then a theocracy.

        • They are still buying their centrifuges and pretty all equipment from outside. Iran doesn't have much choice. I am not going to point out that the russians did in a few years what has Iran so far taken decades. There might be a reason they are slow other then outside influences.

          • There was a pretty good op-ed [washingtonpost.com] yesterday in the Washington Post that talked about this. Shortly after the revolution, most of the scientific institutions in Iran were either shut down or held back during the 1980s, but then started to make a resurgence in the 1990s, which is why it is taking so long for Iran to get anywhere.

            Anyway, the whole op-ed focuses on Iran being one of the few countries to not have much external help in their nuclear program. Now, this is just an opinion piece, so I'm not claiming it

            • It might even be more complicated [theatlantic.com] that you think.

              • This is a great find! And it really makes sense, especially since the political leadership in Iran is currently fractured. There's a huge power struggle between Ahmadinejad and Khameni, and in one of the Persian language newspapers that I was reading the other day, it said that they were even arguing over things such as women covering their hair. Ahmadinejad wants to relax the laws to allow women to show more hair, and Khameni and his backers wanted punishment for women who showed more hair.

                Anyway, my story

  • by LordStormes (1749242) on Thursday August 04, 2011 @12:00PM (#36986726) Homepage Journal

    ... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?

    • by MRe_nl (306212) on Thursday August 04, 2011 @12:07PM (#36986800)

      FTA:
      "Beresford had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.

      Heâ(TM)s been working with DHSâ(TM)s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, to validate and disclose the vulnerabilities and plans to withhold some information, as well as actual exploit code, until Siemens has a chance to patch the vulnerabilities that can be fixed".

    • by OzPeter (195038)

      ... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?

      Well not every company in the world runs S7 PLCs, so you would have to have a grab bag of vulnerabilities for each of the major PLC vendors. Of course I don't doubt that they all can be exploited in some way or another as they are all basically designed in with the same mindset. Then again I did deal with a system last year that used a serial connection - so that was totally unexploitable!

    • by gl4ss (559668)

      no, that shit should have been printed on news magazines years ago.

      it's not like they were going to do anything before that. backdoors are intentional anyways, not exactly vulnerabilities, but intentional, by design. and those industrial contract software creators don't do jack shit unless there's a payer for the fix. that's right, you buy sw and then when there's something wrong with it you get gouged for more.

      sure there's probably a few guys scrambling from their holidays to do some extra checking on thei

  • Seriously, does anyone pentest software anymore?
    • Yes, but only if I get hired to do it.

      If you know your software is a half-baked piece of crap, the very last thing you'd want is to have it pentested. What you want is to slap a big name on it and trust that some management fools go by the creed of "nobody has ever been fired for buying $bigname".

    • by blacklint (985235)

      Well, Dillon Beresford apparently does, so yes :)

  • Nice. Although I have to say I am not surprised. Software is just an after thought for these guys. They are more interested in the industrial aspects and have to have software to "make it go..."
  • by Anonymous Coward

    The developers that code the software that runs SCADA (system control and data aquisition) and PID (proportional/integral/differential) controllers are usually more concerned about massaging bytes into bits the hardware will understand, avoiding logic races, and optimizing code for both size and speed, rather than worrying about remote exploits. 32k of memory isn't unheard of (note, k is an old computer term meaning kilobyte, and it takes 1024 of these kilobytes to make a lowly Megabyte, and of course 1024

  • ...from SIEMENS that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.

    Hell, this is a company whose senior software engineers in their corporate research center(s) think you need to use Tomcat in order to have a client talk to a server (apparently they don't actually know/understand how to use a socket themselves - no shit.)

    • by OzPeter (195038)

      ...from SIEMENS^D^D^D^D^D^D^D GE^D^D Invensys^D^D^D^D^D^D^D^D GE^D^D Bailey^D^D^D^D^D^D Toshiba^D^D^D^D^D^D^D GE^D^D [*] and several other firms that will remain un-named for now that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.

      [*] I've worked with multiple GE divisions.

    • I had my share of work with Siemens. When you see people boast that they're "software engineers" and then see them struggle with VB, you know something is not quite right.

      But hey, what do you expect? We got a good deal of our technical personnel (including programmers) from temp agencies, actually, from some point in 2000something, we could ONLY hire temp agency workers for tech work. You might imagine the average productivity when the average tenure is about 3 months (because no programmer actually has to

  • by OzPeter (195038) on Thursday August 04, 2011 @12:23PM (#36987044)
    Can we please get over the usual comments of "Why are these even connected to the Internet??!?!?!?"

    As TFA points out, even air gapping the control and business networks doesn't always work. And in every plant I have worked in (except one*) over the last XXX number of years, I have been freely allowed to load up any file I wanted (using my own USB flash drive) into the control network. I believe my equipment is free of viruses, but with the sophistication of Stuxnet, who can tell what the next generation of industrial sabotage tools will be like and if/how they can be detected by current technology. So I can only assume that I have not caused any issues for my clients.

    [*] The exception was a plant where there was some controls software running on a VM that was on a server under control of the IT department. The only way *I* could get files onto that box was to upload them to a public directory and let the corporate system check them and drop them off on the other side of the firewall. Unless of course I handed by USB key to the client and said "Can you directly drop these files on the server for me???"
    • Except that if the network isn't connected to the Internet in any way, and you're relying on a third party as your vector, you have no way of getting information back about their systems or altering your attack after delivery. You have one shot to get the attack right.

      Removing the Internet vector doesn't eliminate the possibility of attack, but it sure cuts down on chances for success. I'll take that.

    • by thegarbz (1787294)

      And in every plant I have worked in (except one*) over the last XXX number of years, I have been freely allowed to load up any file I wanted (using my own USB flash drive) into the control network.

      What the hell? Why do your control networked computers have USB ports? Ours have CD burners and a stack of blanks next to them for this purpose.

      But you raise a very valid point here. Security != Airgap. Security is something that needs to be thought of and designed from the ground up. It's a system of design choices concerning every part of the interaction with a control network.

      Our machines aren't airgapped from the business network. They are connected via another network which kind of acts as a double sid

  • by Is0m0rph (819726) on Thursday August 04, 2011 @12:34PM (#36987180)
    Allen Bradley CEO sees $$$$$$$
    • AB better be implementing a large scale code review, or the next article will be about their vulnerabilities.
  • According to Digital Bond [digitalbond.com], Beresford's PLC runs Linux. Cue the GPL requests for Siemen's source code now (I wonder if the backdoor username and password are hard-coded into a GPL's utility :)).

    Disclosure: I work for Digital Bond.

    Reid

    • by basotl (808388)
      They all sound like utilities on top of Linux. An area completely legal to run proprietary software on.
      • by giminy (94188)

        This is what "I wonder if...," means. A request for all parts of the source to which an owner of the product is entitled would tell for sure.

  • Now I really don't like PLC's :-). Computers win again!!!!! HAHAHA
  • I blame Wayne Knight. If he had been a bit thinner, perhaps with a German accent, and been less bumbling, maybe the world would THINK about the means it uses to keep various carnivorous dinosaurs from leaving their security enclosures. And Crichton should have named the character von Nedry-Schleswig, or something. You've got to take the bad guys seriously if you have NO IDEA how they do their evil plans. No, no metaphors at all in that paragraph.
  • But when was it decided to connect industrial systems like this to the internet at all? Didn't isolation (or at least isolated networks) used to be the norm? I have to say if I was running a robot that build cars or a machine that controls nuclear material I would definitely not connect it to the internet or even a companies L.A.N..

    Not that it makes these problems unimportant, but everyone seems to be overlooking the obvious basic bumble of connecting a critical system to a public network.
    • No, you're not an idiot, those are valid questions.

      As you indicated; these belong on isolated networks. Now "isolated" can mean a lot of things to different people. In some places it's a VLAN on a switch and bunch of (active) ports across the factory floor. Ports that may not enforce NAC or some other restriction. So, someone could plug in a device and get to it.

      Also vendors may have access to these isolated networks via VPN or dedicated connections. Sometimes that's the best way to gain access to a co

  • this is so much hype. seriously, who is going to take the time to hack this kind of hardware. it's not like you see industrial machinery breaking because of-wait. what? what is this Stuxnet you speak of?

  • My company uses the S7 PLCs a lot, and they are known to be 'vulnerable' when you have access to them over the network. That is by design, that is how you program them. It is like saying a Linux machine is vulnerable, because port 22 is open. Difference is that, because of limited resources, a PLC doesn't need username and password to log on to.

    Which is the reason, PLCs are in a industrial ethernet, with extensive firewall and only accessible through VPN. But once you can connect to them over port 102, you

"You know, we've won awards for this crap." -- David Letterman

Working...