SCADA software developer Siemens has ignored warnings and lied in at least one case about a serious security flaw that could allow hackers to take control of SIMATIC systems that manage industrial control systems, according to a coder for a different software company, who posted details about the incident in his blog.
The flaw is an authentication bypass that allows anyone to log in to a Siemens SIMATIC industrial control system by using the password "100" or by predicting a "random" string of session-authentication numbers that actually change by only one digit from session to session, according to a posting in the personal blog of security specialist Billy Rios.
Rios described himself as a security specialist for a major online software developer who has worked as a security engineer at VeriSign, Ernst & Young and the Department of Defense.
He also said he has reported more than 1,000 bugs in various applications to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the section of the Department of Homeland Security responsible for tracking security bugs and arranging with vendors to have them fixed.
Rios wrote that he discovered the authentication bypass in Siemens SIMATIC software – a flaw in the security that exposes Telnet, VNC and web services when the SIMATIC software is installed and therefore "a affects pretty much every Siemens SIMATIC customer," Rios wrote.
He never heard back.
Recently, during a conversation with a Reuters reporter, Rios mentioned the critical flaw; the reporter asked Siemens about it.
"Today, I was forwarded the following from Siemens PR (Alex Machowetz) via a Reuters reporter that made an inquiry about the bugs we reported: 'I contacted our IT Security experts today who know Billy Rios…. They told me that there are no open issues regarding authentication bypass bugs at Siemens,'" Rios wrote.
Not only is Siemens denying the bug, it's denying the bug after referencing the specific Siemens security developers who know Billy Rios and who said specifically they are not investigating any bug reported by Rios or, parenthetically, anyone else.
It's possible the report didn't make it from ICS-CERT to Siemens, or got shelved for some unintentional reason at Siemens, or fixed much more quickly than Rios expected with no notice to either customers or the one who reported the bug.
"Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure…. but Siemens wouldn’t lie… so I guess there is no authentication bypass," Rios wrote.
Since there is not authentication problem with the SIMATIC software, Rios figured, he was free to talk about the flaw that didn't exist.
So, just for your amusement, especially if you're a Siemens SIMATIC customer, or know one, or know of one you'd like to crack into but can't, here are details on the bug Rios found that doesn't exist:
"First, the default password for Siemens SIMATIC is "100". There are three different services that are exposed when Siemens SIMATIC is installed; Web, VNC, and Telnet. The default creds for the Web interface is "Administrator:100" and the VNC service only requires the user enter the password of "100" (there is no user name). This is likely the vector pr0f used to gain access to South Houston (but only he can say for sure). All the services maintain their credentials separately, so changing the default password for the web interface doesn’t change the VNC password (and vice versa). I’ve found MANY of these services listening on the Internet… in fact you can find a couple here: http://www.shodanhq.com/search?q=simatic+HMI
But WAIT… there’s MORE! If a user changes their password to a new password that includes a special character, the password may automatically be reset to "100." Yes, you read that correctly… if a user has any special characters in their password, it may be reset to "100." Billy (BK) Rios, Dec. 20, 2011
Some of these "awesome design decisions" are documented in SIMATIC manuals, others are scheduled for some fixes in future updates, according to the comments accompanying Rios' blog.
The rest must be imaginary. Which is a darn good thing. Leaving the door open on a critical infrastructure system like that could be dangerous.