Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DOS, Backdoor, and Easter Egg Found In Siemens S7

Unknown Lamer posted more than 3 years ago | from the punch-the-monkey dept.

Security 121

chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."

Sorry! There are no comments related to the filter you selected.

Oh Good, A Backdoor (2)

WrongSizeGlass (838941) | more than 3 years ago | (#36986560)

It's ironic that they found a backdoor because once someone (person or organization) takes advantage of these security hole Siemens' customers will be taking it "in the backdoor".

Re:Oh Good, A Backdoor (2)

wiedzmin (1269816) | more than 3 years ago | (#36986618)

Considering that malware targeting Siemens' SCADA systems has been around since last year, I think there's been some backdoor action happening already... there is just no regulations that force industrial entities to release information about their breaches... or, it is entirely possible that industrial entities lack the IT staff and infrastructure to detect said breaches.

Re:Oh Good, A Backdoor (1)

geekoid (135745) | more than 3 years ago | (#36986666)

Depends. Government agency will disclose that information. There are guidelines you need to follow.

Private corporations don't.

Re:Oh Good, A Backdoor (1)

WrongSizeGlass (838941) | more than 3 years ago | (#36986668)

Considering that malware targeting Siemens' SCADA systems has been around since last year

I'd have thought Siemens would have learned something from the hardcoded passwords that allowed Stuxnet to proliferate. Of course, I'd be wrong again.

Re:Oh Good, A Backdoor (4, Insightful)

tlhIngan (30335) | more than 3 years ago | (#36986918)

Actually, I'd hazard a guess that MOST SCADA systems are vulnerable. These things weren't designed with security in mind - they're supposed to run off closed networks separated from the Internet (easily done - most of these things predate the Internet).

Heck, the biggest "security issue" would've been access via OPC ("OLE for Process Control" - yes, that same stuff Microsoft touted - "Object Linking and Embedding" from Windows 3.x).

And yeah, most industrial entities probably lack the proper IT team and infrastructure - after all, most of their work involved keeping the network up and running for the controllers, keeping OPC working. The someone demands Internet connectivity on their desktop and they set up routers and firewalls (and don't know about stuff like data diodes).

Basically, stuff that was never designed for security ends up on the Internet.

Re:Oh Good, A Backdoor (1)

Gilmoure (18428) | more than 3 years ago | (#36988098)

Basically, stuff that was never designed for security ends up on the Internet.

Oh, this is too easy.

Re:Oh Good, A Backdoor (1)

Synerg1y (2169962) | more than 3 years ago | (#36988444)

I am still scratching my head as to how these machines are exactly web facing so that they could be remotely exploited? I have a hard time picturing a robotic arm with a web interface to control it. It would be more be a custom application on an embedded system. Did I mention embedded systems? They're a bit different from windows based systems on most occasions. Dunno, really can't follow the logic here, the only that should face the web should be non-employee based consumer websites for a business, maybe VPN if the execs understand whats at stake.

If the system needs to communicate with another system over the network, thats why we make subnets and dedicated ports... dedicated switches to take it a step further.

Re:Oh Good, A Backdoor (1)

tlhIngan (30335) | more than 3 years ago | (#36989746)

I am still scratching my head as to how these machines are exactly web facing so that they could be remotely exploited? I have a hard time picturing a robotic arm with a web interface to control it. It would be more be a custom application on an embedded system. Did I mention embedded systems? They're a bit different from windows based systems on most occasions. Dunno, really can't follow the logic here, the only that should face the web should be non-employee based consumer websites for a business, maybe VPN if the execs understand whats at stake.

If the system needs to communicate with another system over the network, thats why we make subnets and dedicated ports... dedicated switches to take it a step further.

Easy. In dark times, the SCADA systems used proprietary systems and programs to access them (and were on private networks). Accessing data was arcane and limited to whatever the vendor allowed and provided.

Then came along OPC. OLE for Process Control was just what - allowing access to everything via OLE. Now anyone with Windows and an OLE-compliant app can get data from the system in real time. Imagine opening an Excel spreadsheet and having it update with the latest information from the industrial process right then and there in real time. No need to go to a special PC, get the data, save it, transform it, and finally process it.

Now, that special PC can have OPC software installed, and anyone with OLE-compliant software can query the data in real time. OPC is big enough that all vendors gave in and implemented an adapter to their proprietary interface. Said special PC was now connected to the corporate network AND the industrial network.

Next came the internet. And it opened a new can of worms.

First, a company might want access to the data remotely.

Or, more popularly, a machine on the network gets compromised, which infects the special PC (which probably is way behind in patches - industrial contorl PCs often have a narrow band of "supported" patches, and no one wants to fix what isn't broken (product is still being produced).

And then, QED.

If the company was smart, they'd stick a data diode between the special PC and the rest of the corporate network.

Re:Oh Good, A Backdoor (0)

Anonymous Coward | more than 3 years ago | (#36990206)

Subnets and dedicated ports aren't always enough.

http://abterra.ca/papers/How-Stuxnet-Spreads.pdf [abterra.ca]

Re:Oh Good, A Backdoor (1)

b0r1s (170449) | more than 3 years ago | (#36987472)

Siemens hole has already been used to rape Iran (Stuxnet fun). Doesn't get much more rapey than that.

Re:Oh Good, A Backdoor (1)

Sulphur (1548251) | more than 3 years ago | (#36989808)

Siemens hole has already been used to rape Iran (Stuxnet fun). Doesn't get much more rapey than that.

Did you mean rapier?

Re:Oh Good, A Backdoor (0)

Anonymous Coward | more than 3 years ago | (#36987640)

Well, at least they found a backdoor in their siemens, and not the other way around.

Re:Oh Good, A Backdoor (1)

captain_sweatpants (1997280) | more than 3 years ago | (#36987778)

you've struck gold my friend!

Re:Oh Good, A Backdoor (1)

DriedClexler (814907) | more than 3 years ago | (#36989152)

Not just that, I assumed that it was always known that semens' code will spawn a child process.

Oh, THAT DOS... (2)

damn_registrars (1103043) | more than 3 years ago | (#36986566)

Here I was looking forward to hearing about someone playing Zork on an S7.

Re:Oh, THAT DOS... (1)

Toe, The (545098) | more than 3 years ago | (#36986720)

Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!

Re:Oh, THAT DOS... (1)

WrongSizeGlass (838941) | more than 3 years ago | (#36986812)

Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!

Only if you still have that keyboard map/Rosetta stone they included. I think it was ctrl-option-shift-F13 to insert "WTF?"

Re:Oh, THAT DOS... (1)

damn_registrars (1103043) | more than 3 years ago | (#36986962)

Better yet, you can run WordPerfect 5.1 and Lotus 1-2-3!!

But that is productivity software; why would we want to load that on an industrial controller? It would be far more interesting to use it to play Doom instead...

Re:Oh, THAT DOS... (1)

Opportunist (166417) | more than 3 years ago | (#36989242)

Preferably with the industrial robots those systems control.

They found DOS there? (1)

maxwell demon (590494) | more than 3 years ago | (#36986600)

They found DOS there? I didn't know Siemens S7 was running under ancient operating systems. :-)

Embedded systems may not need much of an OS (5, Interesting)

tepples (727027) | more than 3 years ago | (#36986870)

I didn't know Siemens S7 was running under ancient operating systems. :-)

I don't know about S7, never having used it. But you might be surprised about what sort of real-time control systems still run on operating systems like DOS, using the operating system solely as a vehicle for occasional access to storage, because DOS lets the program take over so much of the computer's execution. Google embedded dos [google.com] and be surprised.

Re:Embedded systems may not need much of an OS (1)

h4rr4r (612664) | more than 3 years ago | (#36986984)

You would need something like RTKernel to give you a RTOS on DOS. It makes no such guarantees. Like you said, use the OS only for storage access.

Re:Embedded systems may not need much of an OS (0)

Anonymous Coward | more than 3 years ago | (#36987638)

On you need nothing. DOS by itself does nothing. Disk access is deterministic under it. It's actually pretty awesome.

Germans and humour... (1)

rbrausse (1319883) | more than 3 years ago | (#36986602)

as I'm myself German I'm allowed to say that this is one of the most irritating attributes. TFA about the easter egg quotes one researcher with:

They weren’t exactly happy. Considering where these devices are deployed, they didn’t think it was very funny.

Easter eggs are cool, the flight simulator was the best feature in Excel 97(?).

Re:Germans and humour... (5, Insightful)

geekoid (135745) | more than 3 years ago | (#36986724)

Adding more code to critical systems is NOT COOL. More bugs, more exploit. SCADA systems need to be developed by people who understand and enforce proper engineering and professionalism. This teenage hacker shot does NOT belong there.

IF the software industry would start enforcing engineering principles, most of these messes would even exist.

Re:Germans and humour... (1)

somersault (912633) | more than 3 years ago | (#36987034)

This teenage hacker shot does NOT belong there.

Posting from an Android device, I presume? I hate when it censors me like that.. in 2.x it was easy to add words, but 3.01 does things differently..

Re:Germans and humour... (1)

geekoid (135745) | more than 3 years ago | (#36987072)

no. From Chrome on XP. It's a typo. Not the O's location and the I's location.

I don't remember my Nexus S every editing out the word 'shit'.

Re:Germans and humour... (1)

Anonymous Coward | more than 3 years ago | (#36987100)

no. From Chrome on XP. It's a typo. Not the O's location and the I's location.

I don't remember my Nexus S every editing out the word 'shit'.

Well, at least it seems like the spell check works grate.

Re:Germans and humour... (1)

GameboyRMH (1153867) | more than 3 years ago | (#36988374)

May spill chucker work four me, canned ewe sea?

Re:Germans and humour... (1)

somersault (912633) | more than 3 years ago | (#36988602)

I noticed, it's just that it happens so often on my tablet that I had to check! When I make a typo on a real keyboard, my fingers tend to know before my eyes..

Re:Germans and humour... (0)

Anonymous Coward | more than 3 years ago | (#36987078)

Thats the thing. Most of the people who develop these systems are not software engineers. They are home grown. They know their work. They build something that lets the do what they want and are done.

They trust the other systems are secure enough. But 99% of the time these things are impossible to get at. Most companies do not even let them plug it into any sort of network. As in 'no you are not digging a trench across 500 feet of concrete I just had put in 2 years ago'. So the system sit with 0 network coming out of them. They are not designed to be secure. They are designed to get data.

Re:Germans and humour... (-1)

Anonymous Coward | more than 3 years ago | (#36987130)

Fuck you and your kids you faggot.

Re:Germans and humour... (-1)

Anonymous Coward | more than 3 years ago | (#36987572)

Ooh, touchy. That stick up your ass bothering you again, boy?

Re:Germans and humour... (2)

Gilmoure (18428) | more than 3 years ago | (#36988142)

Engineering standards and accreditation for coders?

Re:Germans and humour... (1)

WrongSizeGlass (838941) | more than 3 years ago | (#36986778)

Easter eggs are cool, the flight simulator was the best feature in Excel 97(?).

This Easter egg is just some monkeys dancing under some text that translates to 'All work and no play makes Jack a dull boy'. Who knows what it could have been had someone wanted to be a bit more sinister.

Re:Germans and humour... (1)

Creepy (93888) | more than 3 years ago | (#36987770)

Actually the text doesn't literally translate well (literally "hear nothing, work nothing, only simple"), but the funny thing is (unless I'm missing an idiom, which is possible) it seems to mean the opposite of that phrase - I translate it as more "hear nothing and do nothing makes you a simpleton."

Re:Germans and humour... (1)

The MAZZTer (911996) | more than 3 years ago | (#36986788)

At least the US government requires all software features be fully documented, and easter eggs, by their very nature, tend to qualify as an undocumented software feature. This is why MS doesn't tend to put them in anymore.

Re:Germans and humour... (4, Insightful)

Infiniti2000 (1720222) | more than 3 years ago | (#36986846)

Easter eggs are cool

No, Easter eggs (in software) are not cool. They cause problems in many ways.

  1. Once discovered, they cause embarrassment to the employer.
  2. They're a waste of resources (money) to the employer. The waste includes: time and money to actually implement or at a minimum opportunity cost for not working on real products, money spent removing the eggs, money spent repairing field items or possibly recall.
  3. If discovered, the employee faces potentially significant consequences. Obviously, this is likely termination, but depending on the length of employment and other facts, this could also severely affect future employment opportunities.
  4. This may do irreparable harm to the reputation of the employer. This could be long-lasting, too, as evidenced by your recollection of the Excel egg.
  5. The egg itself may be a source of a security vulnerability.
  6. The egg itself may have bugs and (besides a security vulnerability as mentioned above) cause a crash of the system.

Re:Germans and humour... (1)

Anonymous Coward | more than 3 years ago | (#36987398)

Easter eggs without authorization from the employer is not cool. It's unprofessional to insert any code that your employer doesn't know about. Similarly, it should be a internally documented feature. If the employer knows about it, we've pretty much shattered most of your objections related to consequences to the employee.

That said, the time and money spent on "not working on real products" is usually a good morale booster. People like working on little things like that, programmers enjoy humor. Money should never be spent removing an easter egg, because...why would you?

If the employer is not placing easter eggs in mission critical software (the Siemens stuff qualifies, and it's stupid, Excel does not qualify), then there should be no damage to the reputation of the employer. Yes, the recollection of the Excel egg is long-lasting, but it's remembered fondly. You and maybe two other people would look at that and say, "fuck Microsoft for being unprofessional."

As for source of bugs, you just never place the easter egg anywhere near functionality code. If there's a bug in the easter egg that affects something else, you're doing it wrong.

Re:Germans and humour... (0)

Anonymous Coward | more than 3 years ago | (#36990016)

You're that guy. The one that makes everybody else miserable. Grow a personality you fucking corp monkey.

Re:Germans and humour... (1)

Infiniti2000 (1720222) | more than 3 years ago | (#36990328)

You're that guy. The one that makes everybody else miserable. Grow a personality you fucking corp monkey.

Yeah, I'm that guy. I'm that guy that wrote software for Class III medical devices. While I can't say if the Siemens controllers are used in similar types of devices, stupid, fucking morons (apparently like you) make life really fucking difficult for people like me. We did work with German products, by the way, and spent a significant amount of time fixing their shit up. (I'm in the U.S.) While that may just be one sample of a German company (we found no Easter eggs), it's the general principle here I'm griping about.

This has nothing to do with having a personality.

Re:Germans and humour... (2, Insightful)

Anonymous Coward | more than 3 years ago | (#36986910)

As I'm myself working for a grid operator I'm allowed to say that easter eggs in word processors and spreadsheets are one thing, and easter eggs in critical infrastructure control systems are quite another. Hopefully everyone can agree an easter egg in the software that controls the space shuttle would not be amusing either...

Re:Germans and humour... (1)

24-bit Voxel (672674) | more than 3 years ago | (#36988894)

I don't know that actually sounds pretty damn fun. I'm pretty sure I could fly it if the spawn point wasn't too far away. First thing I'd do is buzz the space station and give the astronauts in there something to talk about besides dried strawberries and Nintendo at 0 gravity.

Hopefully easier than Lunar Lander...

Re:Germans and humour... (0)

Anonymous Coward | more than 3 years ago | (#36989966)

Fine! I'll go build my own lunar lander, with blackjack and hookers! In fact, forget about the lunar lander and the blackjack. Ah, screw the whole thing.

Re:Germans and humour... (1)

TBBle (72184) | more than 3 years ago | (#36987016)

Easter Eggs may be cool. Easter Eggs your QA team, management and people who're actually customer-facing don't know about are less cool. Easter Eggs that blow up in your face, introduce vulnerabilities, or simply surprise the users of industrial control systems (used in nuclear reactors at that!) are pretty uncool.

This one was of the second type, and not (as far as we know) the third type.

It does reflect a concerningly non-professional attitude to the development of an industrial device, in my opinion.

Re:Germans and humour... (2)

Kyusaku Natsume (1098) | more than 3 years ago | (#36987712)

This is more like the one that did the easter egg was venting out a lot of frustration than for fun. I had a friend that worked for Siemens that were treated by the local managers and the german leadership worst than shit. One of their common answers were "we don't care if you don't like it because we have 50 engineers at the door begging for your post and we will pay them less than what we pay you." If the corporate culture is the same in all off Siemens is no wonder that their products get done so bad at the end of the day.

Gee thanks Mossad (2)

elrous0 (869638) | more than 3 years ago | (#36986698)

Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.

Re:Gee thanks Mossad (3, Insightful)

Anubis350 (772791) | more than 3 years ago | (#36986902)

I'm going to argue that Siemens created the problem by failing to secure their work against some rather embarrassing vulnerabilities. You think that if Stuxnet hadn't been created no-one would have eventually found these? Possible, I suppose, but doubtful, I mean someone had to be thinking along those lines in order to create stuxnet in the first place, and if one team can than so can another

Re:Gee thanks Mossad (0)

Anonymous Coward | more than 3 years ago | (#36988442)

Would these holes have been found if Qhdsojfsv hadn't been created? Oh wait, Qhdsojfsv doesn't exist in this universe, and yes! They were found.

Re:Gee thanks Mossad (1)

GameboyRMH (1153867) | more than 3 years ago | (#36988448)

Yeah these issues were well known before them.

Fun fact: The PLCs that run the luggage systems at airports are usually controlled by modems, hooked up to secret numbers with NO AUTHENTICATION. See if you can figure out a number range used by an airport and wardial it (from a pay phone or a seedy motel of course). If you hit paydirt (you'll need a special tool to log in, standard stuff to anyone familiar with PLCs), you can make the luggage run backwards for epic lulz!

Re:Gee thanks Mossad (0)

Anonymous Coward | more than 3 years ago | (#36988648)

I don't understand why the media attention on these PLC's now? A lot of technicians working on these systems knew about these silly vulnerabilities, but I guess they never imagined someone would be stupid enough to start hooking up company networks to the internal LAN's of these PLC's. Especially to Siemen's Profibus/Profinet. But stupid IT people caught up and mentioned it to their bosses that this could be done and said boss got excited over being able to watch the progress of his machine in his office and thus the house of cards fell apart.

I've personally seen some dumb installations where the IT guys hooked up their company network to the profinet internal lan, where realtime communication is essential between these PLC systems for safety reasons. That realtime communication is pretty much compromised a long with the safety, once they did it.

Keep in mind these issues don't just revolve around Siemens, Allen Bradely and others sure as hell have the same issues, some of them worst than Siemens *cough Schweitzer*.

Re:Gee thanks Mossad (1)

shoehornjob (1632387) | more than 3 years ago | (#36987634)

Yep, you showed Iran alright. Unfortunately, you also created a whole new giant pain in the world's ass.

Considering the tradeoff I'll take the giant pain in the ass any day. Those folks "running" Iran should most definitly NOT have access to enriched uranium.

Re:Gee thanks Mossad (1)

sjames (1099) | more than 3 years ago | (#36988230)

They will get there anyway. This was a delay only. Only now they'll be MORE pissed off.

Re:Gee thanks Mossad (1)

shoehornjob (1632387) | more than 3 years ago | (#36988452)

They will get there anyway. This was a delay only. Only now they'll be MORE pissed off.

Queue the bombers. If they get that far Israel or USA will bomb their factory back to the stone age.

Re:Gee thanks Mossad (0)

Anonymous Coward | more than 3 years ago | (#36989784)

Queue the bombers. If they get that far Israel will bomb their factory back to the stone age.

Fixed that for you as the US can't afford any new war for the next decades

Re:Gee thanks Mossad (1)

Clandestine_Blaze (1019274) | more than 3 years ago | (#36988546)

The tradeoff was that Iran learned very quickly how to recover from such a set-back, was able to become operational and self-sufficient very quickly, and has now implemented additional security mechanisms in their operations to try to avoid something like this in the future. This only made them stronger and more self-reliant. Whoops.

Having said that, I still despise the Iranian leadership.

Re:Gee thanks Mossad (1)

shoehornjob (1632387) | more than 3 years ago | (#36989204)

Having said that, I still despise the Iranian leadership

Therein lies the problem. I suspect eventually there will be two outcomes to the Iranian leadership problem: Either the students/young people will rise up against the regime (history repeating itself) or somone will bomb their uranium plants (at least the one's we know about) back to the stone age.

Re:Gee thanks Mossad (1)

Clandestine_Blaze (1019274) | more than 3 years ago | (#36989364)

Well said! And if those are truly the two only possible outcomes, I hope for the former. At least then, the young people of Iran can take control of their own destiny after having learned the harsh lessons of living under both a monarchy and then a theocracy.

No it didn't (1)

SmallFurryCreature (593017) | more than 3 years ago | (#36989674)

They are still buying their centrifuges and pretty all equipment from outside. Iran doesn't have much choice. I am not going to point out that the russians did in a few years what has Iran so far taken decades. There might be a reason they are slow other then outside influences.

Re:No it didn't (1)

Clandestine_Blaze (1019274) | more than 3 years ago | (#36989856)

There was a pretty good op-ed [washingtonpost.com] yesterday in the Washington Post that talked about this. Shortly after the revolution, most of the scientific institutions in Iran were either shut down or held back during the 1980s, but then started to make a resurgence in the 1990s, which is why it is taking so long for Iran to get anywhere.

Anyway, the whole op-ed focuses on Iran being one of the few countries to not have much external help in their nuclear program. Now, this is just an opinion piece, so I'm not claiming it as being a source of ultimate truth, but I felt the author raised some interesting points.

That does not invalidate your point, however, and you are right, it's still taking Iran decades, and every year we hear that they are "2-3 years" away from the bomb without seeing much success. I personally don't believe that Iran would be crazy enough to use a nuclear bomb, and think that they want to join in on the nuclear club as protection. The current Iranian leadership is power-hungry and greedy, and will do anything to stay in power. That doesn't mean that I would be thrilled that they would have it, since it'll do nothing but create more turmoil in that region.

Only quickly scanned TFA.... (2)

LordStormes (1749242) | more than 3 years ago | (#36986726)

... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?

Need a new scanner... (3)

MRe_nl (306212) | more than 3 years ago | (#36986800)

FTA:
"Beresford had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.

Heâ(TM)s been working with DHSâ(TM)s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, to validate and disclose the vulnerabilities and plans to withhold some information, as well as actual exploit code, until Siemens has a chance to patch the vulnerabilities that can be fixed".

Re:Only quickly scanned TFA.... (0)

Anonymous Coward | more than 3 years ago | (#36986852)

... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?

You mean with your limiting concerns to the USA?

Re:Only quickly scanned TFA.... (1)

LordStormes (1749242) | more than 3 years ago | (#36987030)

TFA says the exploit described only affects unpatched systems from 2009. I trust non-USA companies (discounting TEPCO) to be smart enough to patch their stuff.

Re:Only quickly scanned TFA.... (0)

Anonymous Coward | more than 3 years ago | (#36987940)

You mean with your limiting concerns to the USA?

Fix the most important areas first.

Re:Only quickly scanned TFA.... (0, Insightful)

Anonymous Coward | more than 3 years ago | (#36986888)

No, those systems should be on an isolated network. If they are internet facing, or there is an internet facing computer also on that network, then the utility company deserves all the havoc that comes to them.

Re:Only quickly scanned TFA.... (1)

Anonymous Coward | more than 3 years ago | (#36987032)

And their customers? Or those downwind or downstream? What do they deserve?

Re:Only quickly scanned TFA.... (2)

gregfortune (313889) | more than 3 years ago | (#36987052)

That's a little naive. I can promise you PLCs running unpatched versions of software are running accessible from the internet and no amount of "You shouldn't have done that, dummy" is going to magically secure them overnight. The reality is that our industry simply isn't as security conscious as it needs to be and while some of us recognize the PLC systems should be air-gapped anyway, I doubt that's the norm.

If your power goes out tonight, I'm going to smile a little inside. Deserved?

Re:Only quickly scanned TFA.... (0)

Anonymous Coward | more than 3 years ago | (#36989390)

Page 19 below gives some idea how involved real-world networks are. Engineers might like some things to be totally isolated, but with MBAs believing that firewalls are just as good, the notion is only a fantasy for most.

http://abterra.ca/papers/How-Stuxnet-Spreads.pdf [abterra.ca]

Re:Only quickly scanned TFA.... (1)

OzPeter (195038) | more than 3 years ago | (#36987076)

... but it looks like the article has just posted a how-to guide for how to pwn every utility in the USA, up to and including the port numbers to exploit and the password to use, before this vulnerability is patched. Does anybody else have a problem with this?

Well not every company in the world runs S7 PLCs, so you would have to have a grab bag of vulnerabilities for each of the major PLC vendors. Of course I don't doubt that they all can be exploited in some way or another as they are all basically designed in with the same mindset. Then again I did deal with a system last year that used a serial connection - so that was totally unexploitable!

Re:Only quickly scanned TFA.... (1)

gl4ss (559668) | more than 3 years ago | (#36987236)

no, that shit should have been printed on news magazines years ago.

it's not like they were going to do anything before that. backdoors are intentional anyways, not exactly vulnerabilities, but intentional, by design. and those industrial contract software creators don't do jack shit unless there's a payer for the fix. that's right, you buy sw and then when there's something wrong with it you get gouged for more.

sure there's probably a few guys scrambling from their holidays to do some extra checking on their network filtering now, but that's what they get paid for. maybe next time they'll buy the shit from some hobby guys who cobble it together with c64's - and have it better.

Nah (0)

Anonymous Coward | more than 3 years ago | (#36988728)

No, it's information that's out there anyway. I have a problem with hard-coded passphrases and the serious vulnerabilities in critical equipment, not to mention their connectivity to public networks.

Oh, come ON!!! (1)

ctrimm (1955430) | more than 3 years ago | (#36986814)

Seriously, does anyone pentest software anymore?

Re:Oh, come ON!!! (1)

Opportunist (166417) | more than 3 years ago | (#36989306)

Yes, but only if I get hired to do it.

If you know your software is a half-baked piece of crap, the very last thing you'd want is to have it pentested. What you want is to slap a big name on it and trust that some management fools go by the creed of "nobody has ever been fired for buying $bigname".

Re:Oh, come ON!!! (1)

blacklint (985235) | more than 3 years ago | (#36989740)

Well, Dillon Beresford apparently does, so yes :)

Not surprised (1)

U8MyData (1281010) | more than 3 years ago | (#36986894)

Nice. Although I have to say I am not surprised. Software is just an after thought for these guys. They are more interested in the industrial aspects and have to have software to "make it go..."

Backdoors in bitbanging software (1)

Anonymous Coward | more than 3 years ago | (#36986964)

The developers that code the software that runs SCADA (system control and data aquisition) and PID (proportional/integral/differential) controllers are usually more concerned about massaging bytes into bits the hardware will understand, avoiding logic races, and optimizing code for both size and speed, rather than worrying about remote exploits. 32k of memory isn't unheard of (note, k is an old computer term meaning kilobyte, and it takes 1024 of these kilobytes to make a lowly Megabyte, and of course 1024 Megabytes makes the old Gigabyte, and 1024 Gigabytes makes the Terabyte that most of you are most familiar with. A lot of the software that ladder logic. Security is second fiddle.

Re:Backdoors in bitbanging software (0)

Anonymous Coward | more than 3 years ago | (#36987876)

To be fair I think there is no S7 with less than 512k of working mem, I don't think you could buy one with less than a megabyte at this point. You load it up with all the crap that you can by default you'll have 3/4 still free to use. But that's all beside the point, the engineers doing ladder logic and bit shuffling should not be worried about security. Siemens got the the security wrong from the get go, writing a PID loop did not create the trouble. That said only recently have any of the vendors been actively thinking about security in any real terms. But even given that, most EPLCs can be just flooded from the network and it will make them lose their brains. I could see them becoming nonresponsive over ethernet, but they simply stop if they get hit right and hard enough, like a NESSUS scan even. It's ridiculous, I've had to deal with EPLCs that send all replies to the broadcast address! Clearly it will take some time for the culture shift and education at PLC vendors to happen, it will be painful before then.

Having personally worked with "software engineers" (2)

Assmasher (456699) | more than 3 years ago | (#36986982)

...from SIEMENS that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.

Hell, this is a company whose senior software engineers in their corporate research center(s) think you need to use Tomcat in order to have a client talk to a server (apparently they don't actually know/understand how to use a socket themselves - no shit.)

Re:Having personally worked with "software enginee (2)

OzPeter (195038) | more than 3 years ago | (#36987190)

...from SIEMENS^D^D^D^D^D^D^D GE^D^D Invensys^D^D^D^D^D^D^D^D GE^D^D Bailey^D^D^D^D^D^D Toshiba^D^D^D^D^D^D^D GE^D^D [*] and several other firms that will remain un-named for now that very likely the process used to design/spec/create/test the firmware resembled software engineering in no fashion whatsoever.

[*] I've worked with multiple GE divisions.

Re:Having personally worked with "software enginee (1)

Opportunist (166417) | more than 3 years ago | (#36989442)

I had my share of work with Siemens. When you see people boast that they're "software engineers" and then see them struggle with VB, you know something is not quite right.

But hey, what do you expect? We got a good deal of our technical personnel (including programmers) from temp agencies, actually, from some point in 2000something, we could ONLY hire temp agency workers for tech work. You might imagine the average productivity when the average tenure is about 3 months (because no programmer actually has to stay with a temp agency for long, it's basically "just something to bridge real jobs"), and they were about as motivated as this suggests. Quite a few were "sick" every couple of days, usually suspiciously a few days before they tossed in the "up yours" letter and went away. The only people that stayed were the ones that couldn't get out of the temp job. I.e. the ones that couldn't even get past HR because even HR noticed how inapt they are.

Now take a wild guess what quality gets produced in such an environment.

Queue Comments on Internet .. 3 .. 2 .. 1 (4, Interesting)

OzPeter (195038) | more than 3 years ago | (#36987044)

Can we please get over the usual comments of "Why are these even connected to the Internet??!?!?!?"

As TFA points out, even air gapping the control and business networks doesn't always work. And in every plant I have worked in (except one*) over the last XXX number of years, I have been freely allowed to load up any file I wanted (using my own USB flash drive) into the control network. I believe my equipment is free of viruses, but with the sophistication of Stuxnet, who can tell what the next generation of industrial sabotage tools will be like and if/how they can be detected by current technology. So I can only assume that I have not caused any issues for my clients.

[*] The exception was a plant where there was some controls software running on a VM that was on a server under control of the IT department. The only way *I* could get files onto that box was to upload them to a public directory and let the corporate system check them and drop them off on the other side of the firewall. Unless of course I handed by USB key to the client and said "Can you directly drop these files on the server for me???"

Re:Queue Comments on Internet .. 3 .. 2 .. 1 (1)

ZaphDingbat (451843) | more than 3 years ago | (#36988046)

Except that if the network isn't connected to the Internet in any way, and you're relying on a third party as your vector, you have no way of getting information back about their systems or altering your attack after delivery. You have one shot to get the attack right.

Removing the Internet vector doesn't eliminate the possibility of attack, but it sure cuts down on chances for success. I'll take that.

Re:Queue Comments on Internet .. 3 .. 2 .. 1 (0)

Anonymous Coward | more than 3 years ago | (#36988874)

Can we please get over the usual comments of "Why are these even connected to the Internet??!?!?!?"

Only when you stop connecting critical equipment to the internet. Any data that is to be placed on such equipment must be placed on read-only media, taken to two separate intermediary machines used to completely vet the data storage medium, and then finally be introduced to the critical system, after which it must be once again vetted. This is simply the best practice and there is no excuse to do it any other way, sorry.

I just skimmed the summary.... (0)

Anonymous Coward | more than 3 years ago | (#36987134)

What's this about seamen in the back door?

AB Logix (2)

Is0m0rph (819726) | more than 3 years ago | (#36987180)

Allen Bradley CEO sees $$$$$$$

Re:AB Logix (1)

gstrickler (920733) | more than 3 years ago | (#36987502)

AB better be implementing a large scale code review, or the next article will be about their vulnerabilities.

Siemens makes me cringe (0)

Anonymous Coward | more than 3 years ago | (#36987224)

I worked for Siemens for a few months in their Vienna Software Development center after graduating from college and I can say one thing: never since have I seen such a collection of average, non-interested and downright incompetent people working on large-scale software systems. The fact that Siemens builds machinery which runs our factories or even nuclear power plants should be cause for extreme Angst.

Re:Siemens makes me cringe (1)

GameboyRMH (1153867) | more than 3 years ago | (#36988522)

Siemens also makes many of the Fisher Price My First Modems that telcos give to their customers. 'Nuff said.

Runs Linux (1)

giminy (94188) | more than 3 years ago | (#36987246)

According to Digital Bond [digitalbond.com] , Beresford's PLC runs Linux. Cue the GPL requests for Siemen's source code now (I wonder if the backdoor username and password are hard-coded into a GPL's utility :)).

Disclosure: I work for Digital Bond.

Reid

Never liked PLC's (1)

Murdoch5 (1563847) | more than 3 years ago | (#36987324)

Now I really don't like PLC's :-). Computers win again!!!!! HAHAHA

"It's Unix! I know that language!" (1)

bmcraec (1957382) | more than 3 years ago | (#36987446)

I blame Wayne Knight. If he had been a bit thinner, perhaps with a German accent, and been less bumbling, maybe the world would THINK about the means it uses to keep various carnivorous dinosaurs from leaving their security enclosures. And Crichton should have named the character von Nedry-Schleswig, or something. You've got to take the bad guys seriously if you have NO IDEA how they do their evil plans. No, no metaphors at all in that paragraph.

This is really no joke. (0)

Anonymous Coward | more than 3 years ago | (#36987454)

These are the exploits needed to topple governments, infrastructures, and peoples. These vulnerabilities are exactly why the US had better get the handle on the cyberspace war or else we are finished.

Y2K (0)

Anonymous Coward | more than 3 years ago | (#36987536)

Apparently the industry learned little from the whole Y2K thing. This is worse. (It may not matter if your elevator controller knows what year it is, although I can see where it might for your reactor control system (adjusting for changing isotope ratios as fuel burns, for example). It matters to both if they're accessible via backdoors or prone to malware.)

I think what's needed is a Y2K-like effort to clean up infrastructure code, perhaps motivated by a government-set deadline beyond which civil and criminal liability increases steeply.

Hmmm (0)

Anonymous Coward | more than 3 years ago | (#36987684)

I used to work for an OEM that produced Die Cast and Injection Molding machines.. We (the support team) tried to warn them years ago about specific vulnerabilities but no one listened. This is a serious issue as someone could gain access to the machine and operate it without knowing if someone was between the platens or in the link housing performing maintenance.

I guess I'm an idiot (1)

kelemvor4 (1980226) | more than 3 years ago | (#36988022)

But when was it decided to connect industrial systems like this to the internet at all? Didn't isolation (or at least isolated networks) used to be the norm? I have to say if I was running a robot that build cars or a machine that controls nuclear material I would definitely not connect it to the internet or even a companies L.A.N..

Not that it makes these problems unimportant, but everyone seems to be overlooking the obvious basic bumble of connecting a critical system to a public network.

Re:I guess I'm an idiot (1)

Lieutenant_Dan (583843) | more than 3 years ago | (#36988640)

No, you're not an idiot, those are valid questions.

As you indicated; these belong on isolated networks. Now "isolated" can mean a lot of things to different people. In some places it's a VLAN on a switch and bunch of (active) ports across the factory floor. Ports that may not enforce NAC or some other restriction. So, someone could plug in a device and get to it.

Also vendors may have access to these isolated networks via VPN or dedicated connections. Sometimes that's the best way to gain access to a company's network.

In some settings, WiFi may be the connectivity path which could be exploited. I work in healthcare where you see this more and more. I've seen vendors supply equipment with WEP-based WiFi crap.

And if it's not physically separated, i.e. logically (e.g. a DMZ) then there may be configuration or vulnerabilities to exploit.

cadbery and kraft bitchez (0)

Anonymous Coward | more than 3 years ago | (#36988070)

down down down

complete hype (1)

Gravis Zero (934156) | more than 3 years ago | (#36988492)

this is so much hype. seriously, who is going to take the time to hack this kind of hardware. it's not like you see industrial machinery breaking because of-wait. what? what is this Stuxnet you speak of?

semen and backdoors are not a good match! (0)

Anonymous Coward | more than 3 years ago | (#36988702)

I've said it before, semen and backdoors should not ever be used in teh same sentence!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?