Researcher Accuses Siemens of Serious SCADA Security Cover-Up
This story has been updated with a response from Siemens.
A respected security researcher is accusing the German electronics giant Siemens of lying about several critical vulnerabilities that exist in its industrial-control-system software.
On his personal blog, researcher Billy Rios took Siemens to task for allegedly lying to the international news service Reuters when asked about a security weakness in its Simatic software, a supervisory control and data acquisition (SCADA) program used at infrastructure facilities such as power and wastewater plants.
Rios found the flaw and reported it to Siemens in May, writing, "I've been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer."
Yet when a Reuters reporter recently asked Siemens spokesperson Alex Machowetz about the bug, which could allow an attacker to skirt around the software's authentication protocols and remotely access the network used to automate machines at infrastructure plants, Machowetz told the reporter, "there are no open issues regarding authentication bypass bugs at Siemens."
On Thursday (Dec. 22), Reuters reported that Siemens had acknowledged the flaw in a posting on a Siemens website. SecurityNewsDaily could not find that posting, but did find an archived security advisory from late August that mentioned the flaw and gave credit to Rios.
Siemens' denial came a month after a hacker going by the name "pr0f" said he had exploited the same flaw in a proof-of-concept hack into the network of a Texas water-treatment plant .
Siemens did not return a call or email for comment.
"Since Siemens has 'no open issues regarding authentication bypass bugs,' I guess it's OK to talk about the issues we reported in May," Rios wrote. "Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure ... but Siemens wouldn't lie ... so I guess there is no authentication bypass."
Rios explained the particulars of the Simatic flaw: When the software ships, he wrote, the default out-of-the-box password is 100. When Simatic is installed, three different services are created: a Web service for the Web interface, a Telnet service for remote device management and a virtual network computing (VNC) service for remote access. All three services are configured with the same shockingly simple password , Rios said.
"All the services maintain their credentials separately, so changing the default password for the Web interface doesn't change the VNC password (and vice versa)," he explained.
Rios added that if a Simatic administrator changes his password to a new one containing a special character, "the password may automatically be reset to '100.'"
This is not Siemens' first run-in with researchers who've exposed serious vulnerabilities in its SCADA products.
At the DefCon hacker conference in August, security consultant John Strauchs demonstrated how a hacker could exploit weaknesses in Siemens' programmable logic controllers (PLCs) to remotely control the locks on prison cells and, theoretically, spring a prisoner from his cell.
The infamous Stuxnet worm also attacked the same model of Siemens PLC, deployed in Iranian nuclear facilities.
UPDATE: Siemens has acknowledged the security flaws, and will be issuing patches for them next month. In a statement on its website, Siemens thanked Rios for disclosing the bugs, and wrote: "The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012." Siemens said other vulnerabilities that were disclosed this month "are currently under investigation."