DOS, Backdoor, and Easter Egg Found In Siemens S7 121
chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."
Oh Good, A Backdoor (Score:3)
Re: (Score:3)
Re: (Score:2)
Depends. Government agency will disclose that information. There are guidelines you need to follow.
Private corporations don't.
Re: (Score:2)
Depends. Government agency will disclose that information. There are guidelines you need to follow.
Private corporations don't.
Unless that government is Israel and their Stuxnet program. Don't piss them off or suffer the fate of Japan.
The reactors along the New Madrid fault use Sieman's SCADA systems, don't they?
Re: (Score:2)
Considering that malware targeting Siemens' SCADA systems has been around since last year
I'd have thought Siemens would have learned something from the hardcoded passwords that allowed Stuxnet to proliferate. Of course, I'd be wrong again.
Re: (Score:2)
That wouldn't change the installed base though. And it is unlikely to get much of that base patched. "What do you mean, shut the factory down because you need to install some new software? You had your opportunity last October ; you'll get your next opportunity next October. You get one day. Test system? I dunno. You tell me where the test system is ; I know I haven't got room for one here. You must be new here. Just hired last week eh? The last guy
Re:Oh Good, A Backdoor (Score:5, Insightful)
Actually, I'd hazard a guess that MOST SCADA systems are vulnerable. These things weren't designed with security in mind - they're supposed to run off closed networks separated from the Internet (easily done - most of these things predate the Internet).
Heck, the biggest "security issue" would've been access via OPC ("OLE for Process Control" - yes, that same stuff Microsoft touted - "Object Linking and Embedding" from Windows 3.x).
And yeah, most industrial entities probably lack the proper IT team and infrastructure - after all, most of their work involved keeping the network up and running for the controllers, keeping OPC working. The someone demands Internet connectivity on their desktop and they set up routers and firewalls (and don't know about stuff like data diodes).
Basically, stuff that was never designed for security ends up on the Internet.
Re: (Score:2)
Basically, stuff that was never designed for security ends up on the Internet.
Oh, this is too easy.
Re: (Score:1)
I am still scratching my head as to how these machines are exactly web facing so that they could be remotely exploited? I have a hard time picturing a robotic arm with a web interface to control it. It would be more be a custom application on an embedded system. Did I mention embedded systems? They're a bit different from windows based systems on most occasions. Dunno, really can't follow the logic here, the only that should face the web should be non-employee based consumer websites for a business, ma
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Siemens hole has already been used to rape Iran (Stuxnet fun). Doesn't get much more rapey than that.
Did you mean rapier?
Re: (Score:2)
Not just that, I assumed that it was always known that semens' code will spawn a child process.
Re: (Score:1)
Re: (Score:1)
Oh, THAT DOS... (Score:3)
Re: (Score:2)
Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!
Re: (Score:2)
Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!
Only if you still have that keyboard map/Rosetta stone they included. I think it was ctrl-option-shift-F13 to insert "WTF?"
Re: (Score:2)
Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!
But that is productivity software; why would we want to load that on an industrial controller? It would be far more interesting to use it to play Doom instead...
Re: (Score:2)
Preferably with the industrial robots those systems control.
They found DOS there? (Score:1)
They found DOS there? I didn't know Siemens S7 was running under ancient operating systems. :-)
Embedded systems may not need much of an OS (Score:5, Interesting)
I didn't know Siemens S7 was running under ancient operating systems. :-)
I don't know about S7, never having used it. But you might be surprised about what sort of real-time control systems still run on operating systems like DOS, using the operating system solely as a vehicle for occasional access to storage, because DOS lets the program take over so much of the computer's execution. Google embedded dos [google.com] and be surprised.
Re: (Score:2)
You would need something like RTKernel to give you a RTOS on DOS. It makes no such guarantees. Like you said, use the OS only for storage access.
Mechanical disks aren't deterministic (Score:2)
DOS by itself does nothing. Disk access is deterministic under it.
Not if your underlying disk isn't deterministic. A hard drive might have thermal recalibration, sector remapping, spin retries, etc. Can something like RTKernel make disk access asynchronous so that the rest of the system can continue to run even if the disk is lagging?
Re: (Score:2)
As long as your storage device is using DMA this is a factor of whether you are blocking on I/O.
Re: (Score:2)
Re: (Score:2)
That's a great question. Everything I know about it comes from A) being a user back when we had such hardware in service and B) taking one class in x86/DOS ASM. So that is to say, not much.
Germans and humour... (Score:2)
as I'm myself German I'm allowed to say that this is one of the most irritating attributes. TFA about the easter egg quotes one researcher with:
They weren’t exactly happy. Considering where these devices are deployed, they didn’t think it was very funny.
Easter eggs are cool, the flight simulator was the best feature in Excel 97(?).
Re:Germans and humour... (Score:5, Insightful)
Adding more code to critical systems is NOT COOL. More bugs, more exploit. SCADA systems need to be developed by people who understand and enforce proper engineering and professionalism. This teenage hacker shot does NOT belong there.
IF the software industry would start enforcing engineering principles, most of these messes would even exist.
Re: (Score:2)
This teenage hacker shot does NOT belong there.
Posting from an Android device, I presume? I hate when it censors me like that.. in 2.x it was easy to add words, but 3.01 does things differently..
Re: (Score:2)
no. From Chrome on XP. It's a typo. Not the O's location and the I's location.
I don't remember my Nexus S every editing out the word 'shit'.
Re: (Score:1)
no. From Chrome on XP. It's a typo. Not the O's location and the I's location.
I don't remember my Nexus S every editing out the word 'shit'.
Well, at least it seems like the spell check works grate.
Re: (Score:2)
May spill chucker work four me, canned ewe sea?
Re: (Score:2)
I noticed, it's just that it happens so often on my tablet that I had to check! When I make a typo on a real keyboard, my fingers tend to know before my eyes..
Re: (Score:3)
Engineering standards and accreditation for coders?
Re: (Score:2)
Engineering standards and accreditation for coders?
you really think that helps? if that was a silver bullet you'd think the germans wouldn't be in this now..
what's "wrong" with the system is that their complexity is unnecessary, but complexity is good for jobs
.
think about the code that ran a fancy oven, refrigator, AC or such 15 years ago. the systems are pretty much as complex now but you need to have n+5 2.5ghz computers in the mix. to raise the budget and complexity. can't have germans selling on the cheap you know.
Re: (Score:2)
Call me crazy but a piece of non-executable code in a HTML file on a partition in the firmware does not sound a) exploitable, or b) critical.
I'd be far more concerned if the code were actually running on the PLC but it isn't. It's as innocuous as a help text file and needs to be copied to a computer to be executed. *yawn*
Re: (Score:3)
Something has to process the HTML file. HTML is a complex standard -- far more so than plain text. An HTML rendering engine needs code to process every tag it supports.
I remember back in the day when the Goodtimes virius hoax [wikipedia.org] was making the rounds. Software professionals were incredulous that people actually believed it was possible to catch a virus simply by re
Re: (Score:2)
Our arguments stem from two different assumptions. You're assuming the PLC has the ability to actually execute and render a HTML page, I'm assuming it doesn't and that the file was there amongst others as a hoax.
My assumption only stems from the fact that I've never seen a PLC, SCADA system, or DCS which has actual web interfaces coded into the firmware. I haven't use S7 but I would be dumbfounded if they actually had such a thing especially given how much vendors of these devices love their 100% propriety
Re: (Score:2)
Easter eggs are cool, the flight simulator was the best feature in Excel 97(?).
This Easter egg is just some monkeys dancing under some text that translates to 'All work and no play makes Jack a dull boy'. Who knows what it could have been had someone wanted to be a bit more sinister.
Re: (Score:2)
Actually the text doesn't literally translate well (literally "hear nothing, work nothing, only simple"), but the funny thing is (unless I'm missing an idiom, which is possible) it seems to mean the opposite of that phrase - I translate it as more "hear nothing and do nothing makes you a simpleton."
Re: (Score:2)
Re:Germans and humour... (Score:5, Insightful)
Easter eggs are cool
No, Easter eggs (in software) are not cool. They cause problems in many ways.
Re: (Score:1)
Easter eggs without authorization from the employer is not cool. It's unprofessional to insert any code that your employer doesn't know about. Similarly, it should be a internally documented feature. If the employer knows about it, we've pretty much shattered most of your objections related to consequences to the employee.
That said, the time and money spent on "not working on real products" is usually a good morale booster. People like working on little things like that, programmers enjoy humor. Money
Re: (Score:2)
You're that guy. The one that makes everybody else miserable. Grow a personality you fucking corp monkey.
Yeah, I'm that guy. I'm that guy that wrote software for Class III medical devices. While I can't say if the Siemens controllers are used in similar types of devices, stupid, fucking morons (apparently like you) make life really fucking difficult for people like me. We did work with German products, by the way, and spent a significant amount of time fixing their shit up. (I'm in the U.S.) While that may just be one sample of a German company (we found no Easter eggs), it's the general principle here I'
Re: (Score:2, Insightful)
As I'm myself working for a grid operator I'm allowed to say that easter eggs in word processors and spreadsheets are one thing, and easter eggs in critical infrastructure control systems are quite another. Hopefully everyone can agree an easter egg in the software that controls the space shuttle would not be amusing either...
Re: (Score:2)
I don't know that actually sounds pretty damn fun. I'm pretty sure I could fly it if the spawn point wasn't too far away. First thing I'd do is buzz the space station and give the astronauts in there something to talk about besides dried strawberries and Nintendo at 0 gravity.
Hopefully easier than Lunar Lander...
Re: (Score:1)
Easter Eggs may be cool. Easter Eggs your QA team, management and people who're actually customer-facing don't know about are less cool. Easter Eggs that blow up in your face, introduce vulnerabilities, or simply surprise the users of industrial control systems (used in nuclear reactors at that!) are pretty uncool.
This one was of the second type, and not (as far as we know) the third type.
It does reflect a concerningly non-professional attitude to the development of an industrial device, in my opinion.
Re: (Score:3)
This is more like the one that did the easter egg was venting out a lot of frustration than for fun. I had a friend that worked for Siemens that were treated by the local managers and the german leadership worst than shit. One of their common answers were "we don't care if you don't like it because we have 50 engineers at the door begging for your post and we will pay them less than what we pay you." If the corporate culture is the same in all off Siemens is no wonder that their products get done so bad at
Gee thanks Mossad (Score:3)
Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.
Re:Gee thanks Mossad (Score:4, Insightful)
Re: (Score:2)
Yeah these issues were well known before them.
Fun fact: The PLCs that run the luggage systems at airports are usually controlled by modems, hooked up to secret numbers with NO AUTHENTICATION. See if you can figure out a number range used by an airport and wardial it (from a pay phone or a seedy motel of course). If you hit paydirt (you'll need a special tool to log in, standard stuff to anyone familiar with PLCs), you can make the luggage run backwards for epic lulz!
Re: (Score:2)
Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.
Considering the tradeoff I'll take the giant pain in the ass any day. Those folks "running" Iran should most definitly NOT have access to enriched uranium.
Re: (Score:2)
They will get there anyway. This was a delay only. Only now they'll be MORE pissed off.
Re: (Score:2)
They will get there anyway. This was a delay only. Only now they'll be MORE pissed off.
Queue the bombers. If they get that far Israel or USA will bomb their factory back to the stone age.
Re: (Score:2)
Re: (Score:2)
The tradeoff was that Iran learned very quickly how to recover from such a set-back, was able to become operational and self-sufficient very quickly, and has now implemented additional security mechanisms in their operations to try to avoid something like this in the future. This only made them stronger and more self-reliant. Whoops.
Having said that, I still despise the Iranian leadership.
Re: (Score:2)
Having said that, I still despise the Iranian leadership
Therein lies the problem. I suspect eventually there will be two outcomes to the Iranian leadership problem: Either the students/young people will rise up against the regime (history repeating itself) or somone will bomb their uranium plants (at least the one's we know about) back to the stone age.
Re: (Score:2)
Well said! And if those are truly the two only possible outcomes, I hope for the former. At least then, the young people of Iran can take control of their own destiny after having learned the harsh lessons of living under both a monarchy and then a theocracy.
No it didn't (Score:2)
They are still buying their centrifuges and pretty all equipment from outside. Iran doesn't have much choice. I am not going to point out that the russians did in a few years what has Iran so far taken decades. There might be a reason they are slow other then outside influences.
Re: (Score:2)
There was a pretty good op-ed [washingtonpost.com] yesterday in the Washington Post that talked about this. Shortly after the revolution, most of the scientific institutions in Iran were either shut down or held back during the 1980s, but then started to make a resurgence in the 1990s, which is why it is taking so long for Iran to get anywhere.
Anyway, the whole op-ed focuses on Iran being one of the few countries to not have much external help in their nuclear program. Now, this is just an opinion piece, so I'm not claiming it
Re: (Score:2)
It might even be more complicated [theatlantic.com] that you think.
Re: (Score:2)
This is a great find! And it really makes sense, especially since the political leadership in Iran is currently fractured. There's a huge power struggle between Ahmadinejad and Khameni, and in one of the Persian language newspapers that I was reading the other day, it said that they were even arguing over things such as women covering their hair. Ahmadinejad wants to relax the laws to allow women to show more hair, and Khameni and his backers wanted punishment for women who showed more hair.
Anyway, my story
Only quickly scanned TFA.... (Score:3)
... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?
Need a new scanner... (Score:4)
FTA:
"Beresford had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.
Heâ(TM)s been working with DHSâ(TM)s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, to validate and disclose the vulnerabilities and plans to withhold some information, as well as actual exploit code, until Siemens has a chance to patch the vulnerabilities that can be fixed".
Re: (Score:2)
TFA says the exploit described only affects unpatched systems from 2009. I trust non-USA companies (discounting TEPCO) to be smart enough to patch their stuff.
Re: (Score:1)
And their customers? Or those downwind or downstream? What do they deserve?
Re: (Score:3)
That's a little naive. I can promise you PLCs running unpatched versions of software are running accessible from the internet and no amount of "You shouldn't have done that, dummy" is going to magically secure them overnight. The reality is that our industry simply isn't as security conscious as it needs to be and while some of us recognize the PLC systems should be air-gapped anyway, I doubt that's the norm.
If your power goes out tonight, I'm going to smile a little inside. Deserved?
Re: (Score:2)
... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?
Well not every company in the world runs S7 PLCs, so you would have to have a grab bag of vulnerabilities for each of the major PLC vendors. Of course I don't doubt that they all can be exploited in some way or another as they are all basically designed in with the same mindset. Then again I did deal with a system last year that used a serial connection - so that was totally unexploitable!
Re: (Score:2)
no, that shit should have been printed on news magazines years ago.
it's not like they were going to do anything before that. backdoors are intentional anyways, not exactly vulnerabilities, but intentional, by design. and those industrial contract software creators don't do jack shit unless there's a payer for the fix. that's right, you buy sw and then when there's something wrong with it you get gouged for more.
sure there's probably a few guys scrambling from their holidays to do some extra checking on thei
Oh, come ON!!! (Score:1)
Re: (Score:2)
Yes, but only if I get hired to do it.
If you know your software is a half-baked piece of crap, the very last thing you'd want is to have it pentested. What you want is to slap a big name on it and trust that some management fools go by the creed of "nobody has ever been fired for buying $bigname".
Re: (Score:2)
Well, Dillon Beresford apparently does, so yes :)
Not surprised (Score:2)
Backdoors in bitbanging software (Score:1)
The developers that code the software that runs SCADA (system control and data aquisition) and PID (proportional/integral/differential) controllers are usually more concerned about massaging bytes into bits the hardware will understand, avoiding logic races, and optimizing code for both size and speed, rather than worrying about remote exploits. 32k of memory isn't unheard of (note, k is an old computer term meaning kilobyte, and it takes 1024 of these kilobytes to make a lowly Megabyte, and of course 1024
Having personally worked with "software engineers" (Score:3)
...from SIEMENS that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.
Hell, this is a company whose senior software engineers in their corporate research center(s) think you need to use Tomcat in order to have a client talk to a server (apparently they don't actually know/understand how to use a socket themselves - no shit.)
Re: (Score:3)
...from SIEMENS^D^D^D^D^D^D^D GE^D^D Invensys^D^D^D^D^D^D^D^D GE^D^D Bailey^D^D^D^D^D^D Toshiba^D^D^D^D^D^D^D GE^D^D [*] and several other firms that will remain un-named for now that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.
[*] I've worked with multiple GE divisions.
Re: (Score:2)
I had my share of work with Siemens. When you see people boast that they're "software engineers" and then see them struggle with VB, you know something is not quite right.
But hey, what do you expect? We got a good deal of our technical personnel (including programmers) from temp agencies, actually, from some point in 2000something, we could ONLY hire temp agency workers for tech work. You might imagine the average productivity when the average tenure is about 3 months (because no programmer actually has to
Queue Comments on Internet .. 3 .. 2 .. 1 (Score:5, Interesting)
As TFA points out, even air gapping the control and business networks doesn't always work. And in every plant I have worked in (except one*) over the last XXX number of years, I have been freely allowed to load up any file I wanted (using my own USB flash drive) into the control network. I believe my equipment is free of viruses, but with the sophistication of Stuxnet, who can tell what the next generation of industrial sabotage tools will be like and if/how they can be detected by current technology. So I can only assume that I have not caused any issues for my clients.
[*] The exception was a plant where there was some controls software running on a VM that was on a server under control of the IT department. The only way *I* could get files onto that box was to upload them to a public directory and let the corporate system check them and drop them off on the other side of the firewall. Unless of course I handed by USB key to the client and said "Can you directly drop these files on the server for me???"
Re: (Score:1)
Except that if the network isn't connected to the Internet in any way, and you're relying on a third party as your vector, you have no way of getting information back about their systems or altering your attack after delivery. You have one shot to get the attack right.
Removing the Internet vector doesn't eliminate the possibility of attack, but it sure cuts down on chances for success. I'll take that.
Re: (Score:2)
And in every plant I have worked in (except one*) over the last XXX number of years, I have been freely allowed to load up any file I wanted (using my own USB flash drive) into the control network.
What the hell? Why do your control networked computers have USB ports? Ours have CD burners and a stack of blanks next to them for this purpose.
But you raise a very valid point here. Security != Airgap. Security is something that needs to be thought of and designed from the ground up. It's a system of design choices concerning every part of the interaction with a control network.
Our machines aren't airgapped from the business network. They are connected via another network which kind of acts as a double sid
Re: (Score:2)
AB Logix (Score:3)
Re: (Score:2)
Re: (Score:2)
Siemens also makes many of the Fisher Price My First Modems that telcos give to their customers. 'Nuff said.
Runs Linux (Score:2)
According to Digital Bond [digitalbond.com], Beresford's PLC runs Linux. Cue the GPL requests for Siemen's source code now (I wonder if the backdoor username and password are hard-coded into a GPL's utility :)).
Disclosure: I work for Digital Bond.
Reid
Re: (Score:2)
Re: (Score:2)
This is what "I wonder if...," means. A request for all parts of the source to which an owner of the product is entitled would tell for sure.
Never liked PLC's (Score:1)
"It's Unix! I know that language!" (Score:1)
I guess I'm an idiot (Score:1)
Not that it makes these problems unimportant, but everyone seems to be overlooking the obvious basic bumble of connecting a critical system to a public network.
Re: (Score:1)
No, you're not an idiot, those are valid questions.
As you indicated; these belong on isolated networks. Now "isolated" can mean a lot of things to different people. In some places it's a VLAN on a switch and bunch of (active) ports across the factory floor. Ports that may not enforce NAC or some other restriction. So, someone could plug in a device and get to it.
Also vendors may have access to these isolated networks via VPN or dedicated connections. Sometimes that's the best way to gain access to a co
complete hype (Score:1)
this is so much hype. seriously, who is going to take the time to hack this kind of hardware. it's not like you see industrial machinery breaking because of-wait. what? what is this Stuxnet you speak of?
Connecting on port 102 hardly an 'attack' (Score:2)
My company uses the S7 PLCs a lot, and they are known to be 'vulnerable' when you have access to them over the network. That is by design, that is how you program them. It is like saying a Linux machine is vulnerable, because port 22 is open. Difference is that, because of limited resources, a PLC doesn't need username and password to log on to.
Which is the reason, PLCs are in a industrial ethernet, with extensive firewall and only accessible through VPN. But once you can connect to them over port 102, you