sOfT7: Revealing the Secrets of Siemens S7 PLCs

Presented at Black Hat USA 2022, Aug. 10, 2022, 2:30 p.m. (30 minutes)

The programmable logic controller (PLC) is a reliable hardware device implementing complex monitoring and control logic for industrial control systems. The pursuit of new advanced features has driven the ICS vendors to come up with new-generation PLCs, that contain a whole standard OS environment (e.g., Windows or Linux). They are commonly known as PC-based PLCs or SoftPLCs. Siemens' SoftPLC is called ET 200SP and unlike common PLCs (that typically use customized processors), it contains a standard Intel Atom CPU. The PLC runs a hypervisor that controls two VMs: Windows and Adonis Linux, which Siemens calls SWCPU. The Adonis kernel runs the programmable control logic and functions as a software PLC. The SWCPU is encrypted (in the PLC storage) and it is decrypted by the hypervisor during the boot process of the PLC.

Since the boot process of the ET 200SP is not secure, an attacker can boot his choice of an OS and read the full filesystem, including the binary of the hypervisor, the encrypted SWCPU, and the GRUB configuration files. Surprisingly, this filesystem is also accessible from the Windows VM. We located the code in the hypervisor that decrypts the SWCPU and ran it in a standard Linux environment using Intel Pin. We managed to extract the plaintext SWCPU, which was kept secret for years, ever since Siemens, like other vendors, started encrypting their firmware before the release. Our success indicates that the decryption key is hardcode.

Our initial research shows evidence that the SWCPU contains codebase used by other Siemens S7 PLCs (e.g., Siemens' Adonis kernel). Thus, it can be used for vulnerability research, throughout the full Siemens S7 product-line. Our conclusion is that Siemens invested efforts in protecting the secrecy of the S7 PLC codebase but failed to adapt their security mechanisms to the new standard environment.


Presenters:

  • Idan Raz - Grad Student, Technion
    Idan Raz is a Grad Student at Technion.
  • Alon Dankner - Grad Student, Technion
    Alon Dankner is a Grad Student at the computer science faculty in the Technion and a security researcher for CyCloak. At the age of 19, Alon graduated with honors receiving a BSc degree in computer science at the University of Haifa as part of "Etgar" program (Etgar means Challenge) for outstanding high school students. Computers and network security have always been a topic of interest to him, and his research focuses on the security of industrial control systems.
  • Sara Bitan - Dr., Technion
    Dr. Sara Bitan is a senior researcher at the Technion Hiroshi Fujiwara Cyber Security Research Center. Her research interests include security of embedded systems, including PLCs, vehicle ECUs, and trusted execution environments. Sara has over 20 years of experience in the cyber-security industry. She was the V.P. of Research and Development of a network security startup, and worked as a security architect at Microsoft. Sara is a co-founder of CyCloak, which provides advanced cyber-security solutions. Sara has BA, MSc, and PhD from the computer science faculty in the Technion in Haifa Israel.
  • Eli Biham - Prof., Technion
    Prof. Eli Biham received his BSc in Mathematics and Computer Science at the Tel Aviv University (cum laude), 1982, and his PhD from the Weizmann Institute (1991). His PhD thesis developed Differential Cryptanalysis, the first cryptanalysis method that could break the Data Encryption Standard (DES), and the first general cryptanalysis method that was applicable to a large family of block ciphers. Since 1991 he is a faculty member at the Technion's faculty of Computer Science. He (together with his students and colleagues) developed various methods for analysis of various kinds of ciphers. The most known of them are DES, and the cipher of the GSM cellular phone system (A5) - which proved that it is easy to listen in to any GSM (voice or data) conversation, and even to fake such calls as if originated from somebody else's phone. He also developed new ciphers, the most known of them is Serpent, which was a leading candidate to become the Advanced Encryption Standard (AES) - the successor of DES. Eli Biham is the founding head of the Technion Hiroshi Fujiwara cyber security research center. He served in dozens of program committees, as the program and general chair of the FSE 1997 workshop, and as program chair of EUROCRYPT 2003 and SAC 2006. He was also an editor of the journal of cryptology and a director in the International Association for Cryptologic Research (IACR). Between 2008 and 2013 he served as the dean of the faculty of computer science. Since 2012 he is an IACR fellow. He received the RSA award (2012) and holds the position of IACR distinguished lecturer (2013).
  • Maxim‬ Barsky - Grad Student, Technion
    Maxim Barsky is a Grad Student at Technion.

Links:

Similar Presentations: