Siemens Offers Workarounds for Newly Found PLC Vulnerability

An undocumented hardware-based special access feature recently found by researchers in Siemens' S7-1200 can be used by attackers to gain control of the industrial devices.

Dark Reading Staff, Dark Reading

December 3, 2019

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Siemens recently issued a security advisory with workarounds and mitigations for a vulnerability uncovered by researchers in its S7-1200 programmable logic controllers (PLCs) that could be used to bypass a firmware integrity check to load malware or hijack the industrial processes of the devices.

Researchers from Ruhr University Bochum in Germany found an undocumented hardware-based special access feature in Siemens' S7-1200 PLCs while studying its bootloader, which handles software updates and verifies the integrity of the PLC's firmware when the device starts up.

Ali Abbasi, a research scholar at Ruhr-University Bochum, doctoral student Tobias Scharnowski, and professor Thorsten Holz will present their findings this week in London at Black Hat Europe. The researchers alerted Siemen, which says it plans to fix the flaw.

It's unclear whether the flaw can be fixed in software or if it requires a hardware swap, according to Abbasi, and the researchers are not sure if additional models of the PLC also are affected.

In a statement in response to an inquiry on the nature of the fix, Siemens said it's still working on the issue, pointing to the SSA-686531 advisory it released late last month. "We are in the process of reviewing our product models and will post updates to SSA-686531 if further models are affected," Siemens said. "With respect to a final solution, Siemens experts continue to work on the issue. Siemens provided workarounds and mitigations within the Siemens Security Advisory (SSA-686531) and Siemens will update the document when a final solution is available."

Abassi and his fellow researchers also found that the special access feature in the PLCs could also be used for good: as a forensic tool for defenders. They employed the feature to view the contents of the PLC's memory, so a plant operator could also use it to find malicious code on the device, for example.

Edgepromohorizontal.jpgCheck out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Read more about:

Black Hat News

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights