Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.
The vulnerabilities were discovered by Russian researchers who over the last year probed popular and high-end ICS and supervisory control and data acquisition (SCADA) systems used to control everything from home solar panel installations to critical national infrastructure.
Positive Research chief technology officer Sergey Gordeychik and consultant Gleb Gritsai detailed vulnerabilities in Siemens WinCC software which was used in industrial control systems including Iran's Natanz nuclear plant that was targeted by the US Stuxnet program.
"We don’t have big experience in nuclear industry, but for energy, oil and gas, chemical and transportation sectors during our assessments project we demonstrated to owners how to get full control [of] industrial infrastructure with all the attendant risks," Gordeychik told SC Magazine.
The vulnerabilities existed in the way passwords were encrypted and stored in the software's Project database and allowed attackers to gain full access to Programmable Logic Controllers (PLCs) using attacks described as dangerous and easy to launch.
A vulnerability was also found in cloud SCADA platform Daq Connect which allowed attackers running a demonstration kiosk to access other customer installations. The vendor told the researchers who reported the flaw to simply 'not do' the attacks.
The researchers published an updated version of a password-cracking tool that targeted the vulnerability in Siemens PLC S-300 devices as part of the SCADA Strangelove project at the Chaos Communications Conference in Berlin.
They also published a cheat sheet to help researchers identify nearly 600 ICS, PLC and SCADA systems.
SCADA Strangelove had identified more than 150 zero day vulnerabilities of varying degrees of severity affecting ICSes, PLCs and SCADA systems. Of those, 31 percent were less severe cross site scripting vulnerabilities and five percent were dangerous remote code execution holes.
The latter vulnerabilities were notably dangerous because most of the affected systems lacked defences such as Address Space Layer Randomisation and Data Execution Prevention designed to make exploitation more difficult.
But it wasn't just industrial systems that were affected; the researchers found some 60,000 ICS devices -- many which were home systems -- exposed to the public internet and at risk of attack.
The most prevalent vendors were Tridium, NRG Systems and Lantronix while the most common devices to be crawled using search engines were the Windcube solar smartgrid system, the IPC CHIP embedded device, and the Lantronix SLS video capture platform.
The researchers reported exposed devices to various computer emergency response teams and watchdog groups including the European infosec agency ENSIA.
The findings follow the discovery of separate serious vulnerabilities in Siemens industrial ethernet switches that allowed attackers to run administrative tasks and hijack web sessions.
Siemens released patches overnight to address the flaws in its SCALANCE X-200 switches that were quietly reported by researchers at security firm IOActive.
The flaws related to a lack of entropy in random number generators used in the switches.
Researcher Eireann Leverett praised Siemens for its rapid response to fix the flaws.