December 21, 2011, 2:44 PM — SCADA software developer Siemens has ignored warnings and lied in at least one case about a serious security flaw that could allow hackers to take control of SIMATIC systems that manage industrial control systems, according to a coder for a different software company, who posted details about the incident in his blog.
The flaw is an authentication bypass that allows anyone to log in to a Siemens SIMATIC industrial control system by using the password "100" or by predicting a "random" string of session-authentication numbers that actually change by only one digit from session to session, according to a posting in the personal blog of security specialist Billy Rios.
Rios described himself as a security specialist for a major online software developer who has worked as a security engineer at VeriSign, Ernst & Young and the Department of Defense.
He also said he has reported more than 1,000 bugs in various applications to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the section of the Department of Homeland Security responsible for tracking security bugs and arranging with vendors to have them fixed.
Rios wrote that he discovered the authentication bypass in Siemens SIMATIC software – a flaw in the security that exposes Telnet, VNC and web services when the SIMATIC software is installed and therefore "a affects pretty much every Siemens SIMATIC customer," Rios wrote.
He never heard back.
Recently, during a conversation with a Reuters reporter, Rios mentioned the critical flaw; the reporter asked Siemens about it.
"Today, I was forwarded the following from Siemens PR (Alex Machowetz) via a Reuters reporter that made an inquiry about the bugs we reported: 'I contacted our IT Security experts today who know Billy Rios…. They told me that there are no open issues regarding authentication bypass bugs at Siemens,'" Rios wrote.
Not only is Siemens denying the bug, it's denying the bug after referencing the specific Siemens security developers who know Billy Rios and who said specifically they are not investigating any bug reported by Rios or, parenthetically, anyone else.