Red Balloon Security Discloses Multiple Critical Vulnerabilities in Siemens S7-1500 Series PLC

The disclosed vulnerabilities could expose industrial operators to malicious firmware updates that will be difficult to detect. These vulnerabilities can be ‘chained’ with other remote access vulnerabilities on the same network to allow malicious actors to launch remote attacks on equipment.

NEW YORK–(BUSINESS WIRE)–Red Balloon Security, a leading provider of host-based firmware security solutions, has disclosed multiple, critical architectural vulnerabilities in the Siemens SIMATIC and SIPLUS S7-1500 Series PLC that allow for bypass of all protected boot features. These vulnerabilities affect over 120 different models of the Siemens S7-1500 CPU product family.

Red Balloon’s discovery has significant implications for industrial environments as it pertains to hardware root-of-trust vulnerabilities that cannot be patched. Exploitation of these vulnerabilities could allow offline attackers to generate arbitrary encrypted firmware that are bootable on all Siemens S7-1500 series PLC CPU modules. Furthermore, these vulnerabilities allow attackers to persistently bypass integrity validation and security features of the ADONIS operating system and subsequent user space code. Red Balloon has reported these vulnerabilities to Siemens, and Siemens has confirmed them.

“It’s important for all industrial operators using the Siemens S7-1500 Series PLC to take several steps to prevent possible exploitation of these critical vulnerabilities,” said Dr. Ang Cui, founder and CEO of Red Balloon. “While these vulnerabilities technically require physical access to exploit, it is possible for sophisticated attackers to ‘chain,’ or combine, these vulnerabilities with other remote access vulnerabilities on the same network to install malicious firmware without the need for in-person contact.”

“The vulnerabilities exist because the Siemens custom System-on-Chip (SoC) does not establish a tamper proof Root of Trust (RoT) in the early boot process,” said Yuanzhe Wu, senior research scientist at Red Balloon. “The Siemens RoT is implemented through the integration of a dedicated cryptographic secure element – the ATECC CryptoAuthentication chip. However, this RoT implementation contains flaws that can be abused by attackers to compromise RoT itself and allow attackers to decrypt and load tampered firmware on the S7-1500 PLCs without user’s knowledge.”

Although there are possible ways to mitigate the effects of this hardware RoT exploitation such as using run-time memory attestation, the fundamental vulnerabilities – improper hardware implementations of the RoT using dedicated cryptographic-processor – are unpatchable and cannot be fixed by a firmware update since the hardware is physically unmodifiable.

Red Balloon has developed an advanced persistent threat detection tool for owners and operators of the Siemens S7-1500 series PLCs to verify whether vulnerable devices have been tampered with or compromised. Siemens also recommends that customers assess the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware. Siemens’ advisory can be found here.

To limit the effects of potential exploitation of these vulnerabilities, Red Balloon has further recommended several mitigations to Siemens, which include: implement runtime integrity attestation; add asymmetric signature check for firmware at bootup scheme; and encrypt the firmware with device specific keys that are generated on individual devices.


For industrial operators interested in more information about this disclosure, recommended mitigations and how to access the threat detection tool, contact Red Balloon at info@redballoonsecurity.com.

For a detailed explanation of the S7-1500 Series PLC vulnerabilities and potential risks, read Red Balloon’s technical writeup at https://redballoonsecurity.com/siemens-discovery/.

ABOUT RED BALLOON SECURITY

Red Balloon Security (www.redballoonsecurity.com) is a leading cybersecurity provider and research firm that specializes in the protection of embedded devices across all industries. The company’s technology defends embedded systems with a suite of host-based firmware security solutions that provide continuous runtime protection of firmware and secure embedded systems against exploitation. Red Balloon Security’s pioneering R&D is led by a team of world-class academic researchers and developers who have published seminal research papers in the fields of embedded security and intrusion detection, led U.S. Department of Defense-funded research activities, ethically disclosed vulnerabilities within hundreds of millions of ubiquitous embedded devices and worked as embedded security researchers within various intelligence agencies.

Contacts

For industrial operator inquiries:

Andrew Taub, Commercial Lead, andrew@redballoonsecurity.com

For media requests:

Michael Sias, Firm 19, inquiry@firm19.com

#FOLLOW US ON INSTAGRAM