At the recent Black Hat conference in Las Vegas, Alon Dankner and Nadav Adir of the Technion Institute for Technology in TelAviv, Israel delivered a presentation that demonstrated a half-dozen attacks against programmable logic controllers.
The attacks focused on Siemens’ proprietary S7 protocol and PLCs, and ultimately exposed the cryptographic keys protecting the integrity of the instructions and other data downloaded to and uploaded from the PLC.
On this episode of the Nexus Podcast, Dankner joins to cover his and Adir’s work, which uncovered a vulnerability in how the PLCs are configured that puts its private key at risk. They developed six attacks to exploit the design flaws they uncovered in the PLCs.
"Our attacks exploited the key management, the public key infrastructure, of the protocol which was implemented by Siemens," Dankner said. "TLS is a standard protocol and it requires certificates but managing these certificates is an issue in all of these systems. There are requirements you must consider and adapt your security to those requirements."
One of the attacks involved the use of a rogue workstation client that communicates with the PLC and exploits a design flaw in which the PLC sends an encrypted version of the private key over the wire—a practice that should never be implemented.
The researchers also developed a man-in-the-middle attack that uses the stolen key to manipulate programs downloaded to the PLC. Similar to some of the behaviors exhibited in the Stuxnet attack and in separate Team82 research into Siemens PLCs, the malicious code gives an attacker complete control over the process managed by the PLC. The operator, however, is presented with a false picture of the true state of the PLC.
A separate attack, meanwhile, exploits an issue as keys are provisioned from Siemens’ TIA client to the PLC, allowing an attacker to steal the keys and passwords protecting them.
"Our attacks exploited that fact that the S7 protocol moved keys around between devices over the network," he said. "As attackers, we show that we can exploit these provisioning processes to retrieve private keys. It's something that I really doubt you'll see in the IT world. An SQL Server would never give you a private key."
Dankner covers these attacks, and how Siemens worked with them on mitigations.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.