Safety researchers have discovered a method to extract a world encryption key that was hardcoded within the CPUs of a number of Siemens programmable logic controller (PLC) product traces, permitting them to compromise their safe communications and authentication. Siemens advises all prospects to improve each the firmware of the impacted gadgets in addition to the TIA Portal software program that engineers use to speak with them and deploy their packages.
In keeping with safety researchers from Claroty, Siemens launched uneven cryptography to its SIMATIC S7-1200/1500 PLC CPUs virtually a decade in the past to guard their configuration, packages, and communications. Nevertheless, the corporate selected to take action through the use of a hardcoded world non-public key for all gadgets from these product households as a result of again then dynamic key distribution and administration was not a typical apply and a possible burden for purchasers.
“Since then, nonetheless, advances in know-how, safety analysis, and a swiftly altering menace panorama have rendered such hardcoded crypto keys an unacceptable threat,” the researchers stated of their report. “A malicious actor who is ready to extract a world, hardcoded key may compromise all the machine product line safety in an irreparable manner.”
Siemens PLCs use cryptographic keys for authentication and code safety
In keeping with Claroty, Siemens S7-1200 and S7-1500 PLCs use a number of keys. A “per-family” secret’s shared by all gadgets from a product line and a “per-model/firmware” secret’s used to encrypt configurations and keep code integrity, and a connection key that’s used within the authentication course of, in addition to to encrypt communications with shoppers. The connection secret’s derived from the configuration keys and is used for elliptic curve-based encryption.
This implies attackers receive the configuration key, they will doubtlessly decrypt the consumer password from a PLC’s configuration in addition to launch man-in-the-middle assaults even when they don’t have entry to learn the encrypted configuration.
The problem is that this family-wide configuration key isn’t saved within the machine firmware – the working system working on the machine – however within the CPU itself, so studying it requires entry to work together instantly with CPU through opcodes. It solely needs to be performed as soon as on one machine as a result of all of them share the important thing.
Researchers gained direct reminiscence entry to extract the important thing
Final 12 months, the Claroty researchers discovered a distant code execution vulnerability (CVE-2020-15782) impacting S7 PLCs that allowed them to execute native code on the gadgets. Usually, the packages or logic that engineers write and deploy to PLCs via the specialised engineering software program run inside a sandbox within the PLC OS. CVE-2020-15782 allowed the researchers to bypass that safety layer and instantly learn and write to any usually protected reminiscence tackle on the PLC.
“Utilizing the DA [direct memory access] learn permission we obtained, we have been capable of extract all the encrypted PLC firmware (SIMATIC S7-1500) and map its capabilities,” the researchers stated. “Through the mapping course of we discovered a operate that learn the non-public key on the PLC. As soon as we had the operate tackle, we rewrote the performance of particular MC7+ opcodes with our shell code, forcing them to name the native operate that reads the non-public key. We then copied the important thing to a identified reminiscence tackle and browse it from there. Executing the overwritten operate gave us the total non-public key of the PLC.”
Key allows a number of assaults
Interacting with Siemens PLCs requires a password, however the permissions the shopper is granted to the machine is outlined by 4 ranges of safety that may be configured. If the safety stage is decrease than three, an attacker can extract the configuration from the PLC with none particular permission. This configuration accommodates the password hash however is encrypted. Nevertheless, if they’ve the worldwide non-public key, attackers can decrypt the password hash and use it to authenticate to the PLC with increased privileges.
If the safety stage is increased than 4, attackers can use the non-public key to launch a man-in-the-middle assault in opposition to a reliable shopper as a substitute. The best way this may work is that they’d simulate a faux PLC and power the shopper to attempt to authenticate to it. This might result in the shopper sending an encrypted connection key to the rogue PLC, which might then be decrypted with the extracted world key within the attacker’s possession and used to connect with the actual PLC. The true PLC would reply with a password problem which the attacker would ahead again to the shopper and acquire their response.
Forwarding the problem response to the actual PLC would permit them to determine an authenticated session with the privileges to learn the configuration which incorporates the password hash. The password hash may then be decrypted utilizing the worldwide non-public key, giving attackers future entry with out repeating the man-in-the-middle session hijacking.
Lastly, “an attacker with passive entry to seize visitors to a given PLC on the community can intercept configuration reads/writes from the PLC,” the researchers warned. “Utilizing the non-public key, the attacker can decrypt the configuration and extract the password hash. With the password hash the attacker can authenticate to the controller and write a brand new configuration.”
Customers suggested to improve the weak gadgets and the engineering software program
“SIMATIC S7-1200, S7-1500 CPUs and associated merchandise defend the built-in world non-public key in a manner that can’t be thought of enough any longer,” Siemens stated in a brand new advisory in response to this challenge. “Siemens recommends to replace each the affected merchandise in addition to the corresponding TIA Portal mission to the newest variations. TIA Portal V17 and associated CPU firmware variations launched safety of confidential configuration information based mostly on particular person passwords per machine and TLS-protected PG/PC and HMI communication.”
The weak gadgets embrace SIMATIC Drive Controller household variations decrease than 2.9.2, SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (together with SIPLUS variants) variations decrease than 21.9, SIMATIC S7-1200 CPU household (together with SIPLUS variants) variations decrease than 4.5.0, SIMATIC S7-1500 CPU household (together with associated ET200 CPUs and SIPLUS variants) variations decrease than 2.9.2, SIMATIC S7-1500 Software program Controller variations decrease than 21.9, and SIMATIC S7-PLCSIM Superior variations decrease than 4.0. All variations of SIMATIC ET 200SP Open Controller CPU 1515SP PC (together with SIPLUS variants) are additionally affected, however no repair is offered or deliberate for them.
Copyright © 2022 IDG Communications, Inc.