Claroty Cybersecurity

Team82 discovers vulnerabilities in Siemens S7-1200 and S7-1500 controllers

Pinterest LinkedIn Tumblr

Close to 10 years ago, Siemens introduced asymmetric cryptography into the integrated security architecture of its TIA Portal v12 and SIMATIC S7-1200/1500 PLC CPU firmware families. This was done to ensure the integrity and confidentiality of devices and user programs, as well as for the protection of device communication within industrial environments.

Dynamic key management and distribution did not exist then for industrial control systems, largely because of the operational burden that key management systems would put on integrators and users. Siemens decided at the time instead to rely on fixed cryptographic keys to secure programming and communications between its PLCs and the TIA portal.

Since then, however, advances in technology, security research, and a swiftly changing threat landscape have rendered such hardcoded crypto keys an unacceptable risk. A malicious actor who is able to extract a global, hardcoded key, could compromise the entire device product line security in an irreparable way.

Team82 has to date conducted extensive research into PLC security, working closely with leading vendors to eradicate such practices as hardcoded keys, demonstrate the risk they pose to users’ systems, and improve the overall security of the industrial automation ecosystem.

Our latest work—an extension of previous research conducted on Siemens SIMATIC S7-1200 and S7-1500 PLCs, as well as Rockwell Automation’s Logix controllers and Studio 5000 Logix Designer—continues on that path.

We uncovered and disclosed to Siemens a new and innovative technique targeting SIMATIC S7-1200 and S7-1500 PLC CPUs that enabled our researchers to recover a global hardcoded cryptographic key (CVE-2022-38465) used by each Siemens affected product line. The key, if extracted by an attacker, would give them full control over every PLC per affected Siemens product line.

Using a vulnerability uncovered in previous research (CVE-2020-15782) on Siemens PLCs that enabled us to bypass native memory protections on the PLC and gain read and write privileges in order to remotely execute code, we were able to extract the internal, heavily guarded private key used across the Siemens product lines. This new knowledge allowed us to implement the full protocol stack, encrypt and decrypt protected communication, and configurations.

Siemens’ response to this private disclosure led to an overhaul of the cryptographic schemes protecting its flagship PLC lines, as well as its TIA Portal engineering workstation application. Siemens acknowledged in a security advisory that existing protections around its hardcoded key are no longer sufficient, and invested the resources and time necessary to introduce a dynamic public-key infrastructure (PKI) that eliminates the use of hardcoded keys.

Siemens recommends users immediately update SIMATIC S7-1200 and S7-1500 PLCs and corresponding versions of the TIA Portal project to the latest versions. TIA Portal V17 and related CPU firmware versions include the new PKI system protecting confidential configuration data based on individual passwords per device and TLS-protected PG/PC and HMI communication, Siemens said in its advisory.

The Race to Native Code Execution in PLCs: Using RCE to Uncover Siemens SIMATIC S7-1200/1500 Hardcoded Cryptographic Keys


Comments are closed.