Presented at
Black Hat Europe 2019,
Dec. 4, 2019, 12:10 p.m.
(50 minutes)
Siemens is a leading provider of industrial automation components for critical infrastructures, and their S7 PLC series is one of the most widely used PLCs in the industry. In recent years, Siemens integrated various security measures into their PLCs. This includes, among others, firmware integrity verification at boot time using a separate bootloader code. This code is baked in a separated SPI flash, and its firmware is not accessible via Siemens' website. In this talk, we present our investigation of the code running in the Siemens S7-1200 PLC bootloader and its security implications. Specifically, we will demonstrate that this bootloader, which to the best of our knowledge was running at least on Siemens S7-1200 PLCs since 2013, contains an undocumented "special access feature". This special access feature can be activated when the user sends a specific command via UART within the first half-second of the PLC booting. The special access feature provides functionalities such as limited read and writes to memory at boot time via the UART interface. We discovered that a combination of those protocol features could be exploited to execute arbitrary code in the PLC and dump the entire PLC memory using a cold-boot style attack. With that, this feature can be used to violate the existing security ecosystem established by Siemens. On a positive note, once discovered by the asset owner, this feature can also be used for good, e.g., as a forensic interface for Siemens PLCs. The talk will be accompanied by the demo of our findings.
Presenters:
-
Thorsten Holz
- Professor, Ruhr-University Bochum
Thorsten Holz is a professor in the Faculty of Electrical Engineering and Information Technology at Ruhr-University Bochum, Germany. His research interests include technical aspects of secure systems, with a specific focus on systems security. Currently, his work concentrates on reverse engineering, automated vulnerability detection, and studying latest attack vectors. He received the Dipl.-Inform. degree in Computer Science from RWTH Aachen, Germany (2005), and the Ph.D. degree from University of Mannheim (2009).
-
Tobias Scharnowski
- PhD Student, Ruhr-University Bochum
Tobias Scharnowski is a freshly starting PhD student at Ruhr-University Bochum, Germany. He enjoys binary software security and reverse engineering and has recently focused his research on embedded systems. As an active member of the CTF community he has participated in finals of events such as DEF CON CTF, Real World CTF and Hack In The Box. He also is one of the main challenge designers of hack.lu CTF organized by FluxFingers.
-
Ali Abbasi
- Post-Doctoral Researcher, Ruhr-University Bochum
Ali Abbasi is a Post-Doctoral researcher at the Chair for System Security of Ruhr-University Bochum, Germany. His research interest involves embedded systems security mostly related to Industrial Control Systems, Critical Infrastructure security, and Real-Time Operating Systems security. He received his Msc degree in Computer Science from Tsinghua University, Beijing, China. He was working there on Programmable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High-tech Program grant from Ministry of Industry and Information Technology of China. Ali received his PhD degree from Eindhoven University of Technology, the Netherlands. In Eindhoven, he was working on code-reuse defences for Programable Logic Controllers (PLC) and other embedded systems.
Links:
Similar Presentations: