Security Experts:

Connect with us

Hi, what are you looking for?



Undocumented Access Feature Exposes Siemens PLCs to Attacks

Siemens is working on addressing a vulnerability that can be exploited by a skilled attacker to execute arbitrary code on its SIMATIC S7-1200 programmable logic controller (PLC) by abusing a hardware-based access mode.

Siemens is working on addressing a vulnerability that can be exploited by a skilled attacker to execute arbitrary code on its SIMATIC S7-1200 programmable logic controller (PLC) by abusing a hardware-based access mode.

Ali Abbasi, Tobias Scharnowski and Thorsten Holz of the Ruhr-University Bochum in Germany have conducted an analysis of Siemens S7-1200 PLCs, which, according to Siemens, are designed for discrete and continuous control in industrial environments, including in the manufacturing, chemical, and food and beverage sectors.

The researchers analyzed the device’s firmware integrity verification mechanism, which is triggered on boot and uses bootloader code that is stored on separate SPI flash memory. An investigation of this bootloader, which the experts believe is present on S7-1200 PLCs made since 2013, revealed the existence of an undocumented access mode.Siemens S7-1200 PLC

Described by the researchers as a hardware-based special access feature, it’s normally designed to provide additional diagnostic functionality during manufacturing. However, they discovered that an attacker who has physical access to a PLC could abuse it — through a cold boot attack — by sending a special command via the universal asynchronous receiver-transmitter (UART) interface during the first half second of the PLCs booting process, which allows them to dump the firmware from the memory.

An attacker can also leverage a combination of diagnostic functionalities to achieve arbitrary code execution in the bootloader stage, before the PLC firmware is loaded. The researchers have created a proof-of-concept (PoC) exploit showing how this method could be used to write data to the flash chip through the PLC’s firmware update functionality. 

On the other hand, the researchers pointed out that this special access feature could also be leveraged by the owner of a PLC to conduct forensic analysis.

“Assume that your PLC crashed,” Abbasi explained. “Generally, companies can not do forensics on the PLC beside the logs generated by the PLC itself. Now, using this special access, companies [performing forensic analysis] can have a snapshot of the memory of the PLC at the time of the crash and further investigate if there is an infection on the PLC.”

“Another thing is to verify that the control logic is not changed. For example, the first time you upload control logic, you take a snapshot of the memory, and later on if you are suspicious about a PLC, just reboot the PLC, take a snapshot of the corresponding memory and see if the binary is modified or not by comparing it to the original snapshot,” the researcher told SecurityWeek.

He added, “Also, if an attacker exploits the PLC and places shellcode in the memory (and not do a ROP Chain), technically it is now feasible to see the shellcode via a reboot and dumping the memory.”

Learn More About Flaws in ICS Products at SecurityWeek’s 2020 ICS Cyber Security Conference

Abbasi says they have reported their findings to Siemens in March and the company released an advisory this week to inform customers that it’s working on a solution. In the meantime, customers have been advised to ensure protection against physical access and apply defense-in-depth recommendations. The industrial giant told the researchers that it would remove the problematic access mode from PLCs.

The researchers plan on presenting their findings next month at the Black Hat Europe conference in London.

Abbasi told SecurityWeek that the vulnerability was actually discovered one year before it was reported to Siemens. The weakness was found as part of a larger project and the researchers decided not to immediately report it to Siemens due to concerns that the vendor would patch it and make their project unfeasible.

Siemens has assigned the vulnerability the identifier CVE-2019-13945 and a CVSS score of 6.8, which makes it a medium-severity issue.

However, Abbasi explained that exploitation of the vulnerability requires deep knowledge of the PLC operating system. “Once you know the concept it is not that difficult to exploit,” he said.

However, he pointed out that while creating an exploit might not be very difficult, it depends on what the attacker wants to achieve. For example, attempting to write to the flash memory requires deep knowledge of the PLC, its operating system and bootloader.

*updated to clarify that the cold boot attack only allows the attacker to dump the firmware, and that diagnostic functionalities allow arbitrary code execution

Related: Hackers Can Use Rogue Engineering Stations to Target Siemens PLCs

Related: Severe DoS Flaw Discovered in Siemens SIMATIC PLCs

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.