Hard-Coded Password and Other Security Holes Found in Siemens Control Systems | Threat Level | Wired.com
The newly discovered vulnerabilities go a step further than Stuxnet, however, in that they allow an attacker to communicate directly with a Siemens PLC without needing to compromise, or even use, the Step7 software.
One of the most serious security holes is a six-letter hardcoded username and password — both “Basisk” — that Siemens engineers had left embedded in some versions of firmware on its S7-300 PLC model. The credentials are effectively a backdoor into the PLC that yield a command shell, allowing an attacker to dump the device’s memory — in order to map the entire control system and devices connected to it — and reprogram the unit at will.
“I was able to log in via telnet and http, which allowed me to dump memory, delete files and execute commands,” says Dillon Beresford, the security researcher with NSS Labs who discovered the password, and at least a dozen more subtle security holes.
Beresford had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.