Security News > 2023 > January > Over 100 Siemens PLC Models Found Vulnerable to Firmware Takeover

Security researchers have disclosed multiple architectural vulnerabilities in Siemens SIMATIC and SIPLUS S7-1500 programmable logic controllers that could be exploited by a malicious actor to stealthily install firmware on affected devices and take control of them.

Put differently, the weaknesses are the result of a lack of asymmetric signature verifications for firmware at bootup, effectively permitting the attacker to load tainted bootloader and firmware while undermining integrity protections.

A more severe consequence of loading such modified firmware is that it could give the threat actor the ability to persistently execute malicious code and gain total control of the devices without raising any red flags.

The lack of a firmware update is attributed to the fact that the cryptographic scheme that undergirds the protected boot features is baked into a dedicated physical secure element chip, which decrypts the firmware in memory during startup.

An attacker with physical access to the device could therefore leverage the issues identified in the cryptographic implementation to decrypt the firmware, make unauthorized changes, and flash the trojanized firmware onto the PLC either physically or by exploiting a known remote code execution flaw.

"The fundamental vulnerabilities - improper hardware implementations of the using dedicated cryptographic-processor - are unpatchable and cannot be fixed by a firmware update since the hardware is physically unmodifiable," the researchers explained.

News URL

https://thehackernews.com/2023/01/over-100-siemens-plc-models-found.html