Experts found a backdoor in Siemens PLCs. Critical infrastructure and SCADA networks affected

A team of web application security specialists from Ruhr University in Bochum, Germany, has discovered a critical vulnerability in some new programmable logic controller (PLC) models manufactured by Siemens. According to the experts, the flaw is related to the presence of a hidden access feature and could be exploited both to perform cyberattacks and security tool.

The security issue is related to the hardware access function of the Siemens S7-1200 PLC (this feature processes software updates and verifies the integrity of the PLC firmware when starting the device). Apparently, this access shows behavior similar to that of a backdoor.

According to web application security experts, a threat actor may abuse this feature to bypass the firmware integrity verification step for about half a second, time in which the attacker could download malicious code and subsequently gain full control over the device’s processes.

In their report, experts say they ignore why Siemens could have installed such access on these devices: “This is clearly a bad security practice; this feature gives anyone with sufficient knowledge access to the contents of memory, as well as the ability to overwrite data and extract information,” the experts say.

During the investigation, experts discovered that this hidden access can also be useful for security researchers, as it provides a memory device forensic. “We managed to use this feature to access the contents of the PLC’s memory, which could help in digital forensics investigation to detect malicious code. Although the company does not allow access to memory content under normal conditions, this is feasible using this access,” the experts conclude. The findings will be officially presented during a cybersecurity event to be held next month in London.

On the other hand, Siemens received the report on this security flaw in a timely manner and has already announced the launch of a solution as soon as possible. “We are aware of the research of the experts of Ruhr University, regarding special hardware-based access on SIMATIC S7-1200 CPUs; our web application security teams are working to resolve the issue as soon as possible. We recommend that our users remain alert to any official update,” the company’s statement says.

It is still unknown whether Siemens will deploy only software updates or whether new hardware components will be needed to fix this vulnerability. International Institute of Cyber Security (IICS) web application security specialists mention that a hardware replacement would be a definitive solution, but it is very complicated to perform for all affected devices (something similar to the Nintendo Switch case). That being said, the company will most likely release continuous security updates to fix the flaw.

A couple of months ago, another investigation into Siemens S7 PLCs was revealed; on that occasion, experts discovered that all modern PLC S7 families were running the same firmware version, and they even shared the same cryptographic key; the company received all these reports and began the process of correcting security flaws.