The Stuxnet superworm found in Iran on their Siemens PLCs, or programmable logic controllers, is not the only thing that Siemens now has to deal with in regards to security. According to Ars Technica, a security researcher has now found even more vulnerabilities. These vulnerabilities bypass the Step7 software that is used to monitor and program the PLCs (The Stuxnet worm relied on the Step7 software). These vulnerabilities include security holes like hardcoded passwords. This means systems could be reprogrammed and administrators could be locked out.
The hardcoded password is six letters and has the same username Basisk. Siemens engineers had left the password embedded in some versions of the software used in the S7-300 PLC. The backdoor gives an access to a command shell that dumps the memory of the S7-300.
Another issue that plagues the Siemens PLCs is the ability to issue a command and replay it on any other PLC. Last month, Siemens fixed the issue on one model. The issue apparently affects several other models, including the S7-300. This is due to the fact that session IDs never expire, unless a administrator physically restarts the machine by re-cycling it and issuing the necessary commands.
Dillon Beresford, the security researcher who discovered the flaws, says the following: “I was able to log in via Telnet and http, which allowed me to dump memory, delete files and execute commands.”
Beresford will present his findings at the Black Hat conference on Wednesday. He has been working with the Department of Homeland Security to validate the vulnerabilities. He plans to withhold exploit code until Siemens has a chance to fix the issues.