Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs

Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs).

Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs).

Exploitation of the vulnerability, tracked as CVE-2022-38773, could allow an attacker to bypass protected boot features and persistently modify the controller’s operating code and data. The cause, according to Red Balloon Security, is a series of architectural issues affecting Siemens Simatic and Siplus S7-1500 CPUs.

“The Siemens custom System-on-Chip (SoC) does not establish an indestructible Root of Trust (RoT) in the early boot process. This includes lack of asymmetric signature verifications for all stages of the bootloader and firmware before execution,” Red Balloon explained in a blog post on Tuesday.

Siemens S7-1500 CPU vulnerability “Failure to establish Root of Trust on the device allows attackers to load custom-modified bootloader and firmware. These modifications could allow attackers to execute and bypass tamper-proofing and integrity-checking features on the device,” the security firm added.

According to Red Balloon, an attacker can decrypt the firmware of the affected PLCs and generate their own malicious firmware that can be made bootable on more than 100 impacted device models.

Exploitation of the vulnerability requires physical access to the targeted PLC, but the researchers pointed out that a hacker may be able to exploit a different remote code execution flaw in order to deploy the malicious firmware onto the device.

Typically, hacking a PLC could allow an attacker — depending on what the controller is used for — to cause significant damage or disruption within the targeted organization.

Siemens informed customers about the vulnerability, which has a ‘medium severity’ rating based on its CVSS score, on Tuesday, when it released its first round of Patch Tuesday advisories for 2023.

“As exploiting this vulnerability requires physical tampering with the product, Siemens recommends assessing the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware,” the company said.

The vulnerability cannot be fixed with a firmware update and the industrial giant’s advisory informed customers that “currently no fix is planned”, but it clarified that it has already released new hardware versions that fix the vulnerability for some of the impacted CPUs and it’s working on new hardware versions for the remaining products.

Related: New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs

Related: Security Researchers Dig Deep Into Siemens Software Controllers

Related: Siemens Not Ruling Out Future Attacks Exploiting Global Private Keys for PLC Hacking

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.