Researcher releases tools to switch off PLCs

Powered by SC Magazine
 

System runs online without authentication.

A researcher has revealed dangerous holes in a SCADA (Supervisory Control and Data Acquisiton) system used by some 261 manufacturers including Bosch, CAT and Mitsubishi Electric Europe.

By taking advantage of an absence of authentication and tendency to run the Codesys ladder logic runtime engine as root, an attacker could wipe memory from a Programmable Logic Controller (PLC) running the platform, start and stop the ladder logic and peruse files and directories.

They could also use in-built functions to send and receive files and, via a directory traversal flaw, could read and write files outside of the Codesys system.

"On most operating systems this includes the ability to overwrite critical configuration files such as /etc/passwd and /etc/shadow on linux, or the windows registry on Windows CE," Digital Bond researcher Reid Wightman wrote.

The affected functions within the runtime engine included a TCP file transfer service and command line interface that Wightman found did not require authentication. 

The Codesys runtime engine was also vulnerable because its design ensured it was typically run as root or on operating systems with poor security controls.

Wightman demonstrated the flaws on a WAGO embedded computer PLC, but said the attacks would likely work on all Codesys PLC makes and models. He said the only security offered by the Codesys platform were checks which tested if it was communicating with the correct PLC.

Wightman and a colleague released a pair of Python tools to interact with PLCs running the vulnerable Codesys platform. Both tools, including a command shell utility that grants priveleges to unauthenticated attackers, could be ported to Metasploit.

"It is the equivalent of running the PLC browser function from the Codesys desktop software, but does not assert vendor checks normally performed by the Codesys software — Codesys will normally fail to connect to a PLC and offer this option without properly licensed plugins," Wightman said.

He also released a file transfer tool for reading and writing files on controllers with a filesystem.  

The creators of Codesys 3S Software Gmbh did not respond to requests for comment by the time of publication.

Copyright © SC Magazine, Australia


Researcher releases tools to switch off PLCs
 
 
 
Top Stories
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
Immigration breached Privacy Act with data leak
Pilgrim slams "copy and paste" of asylum seeker data.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 834

Vote