Title reflects ICS-CERT view of reality
Today, Rubén Santamarta (@reversemode) released a security advisory about Modicon PLCs. There are quite a few striking things about these devices.
1) It’s incredibly easy to download the firmware from Schneider. I’m actually quite thankful for this. Rubén found the vulnerabilities using only static analysis of the downloaded firmware — he had no access to an actual controller, and he did it as a hobby. This further proves that finding vulns in PLCs is hardly the work of well-funded individuals. The instruction set of the firmwares (PowerPC and ARM) are well-known and well-supported by our favorite disassembler.
2) There are a huge number of hard-coded accounts in the devices. These accounts let a user do *anything* to the device — they all have the same privileges. By anything, I mean: you can upload a new firmware to the device and use the Ethernet module in a Modicon as a general-purpose computer. Want to run Linux on it? That’s possible. Want to install extra tasks in the vxWorks image to, say, randomly twiddle input and output data? Also possible. It takes time, but it isn’t rocket science.
3) Schneider left debugging symbols in the firmware, which are pretty easy to reverse engineer. With that, you get names of all of the disassembled functions in the firmware. Combined with a copious number of “printf()” style debugging messages, makes it easy to figure out what the firmware is doing.
4) Schneider left hardware in these devices that makes relocating the firmware easy. I wasn’t as clever as Rubén to use jumptables as a way of relocating the firmware…I used some developer cruft to come to the same conclusion.
Rubén and I rather hilariously found the same issues in the device. Apparently someone else did, too. ICS-CERT would call these “not vulnerabilities,” (at least some of the backdoor accounts are part of the system design, for performing firmware updates and other maintenance tasks). Rubén informed ICS-CERT about these issues months ago.
I would love to be a fly on the wall at Schneider to learn how their development and release process works. It seems that things are a bit broken…odd because Schneider is ISO 9001 certified, and usually weird development/release processes would be caught in an audit somewhere along the way.
Update: Rubén has been hearing from ICS-CERT and Schneider (sorry for the confusion), and both have been reacting well to his original contacts.
Image by pocarles