PLC Hacking

The recent approval by Wurldtech for Schneider to self certify their products as meeting Achilles certification requirements was enough of a push to put up a replacement to the Siemens / Stuxnet counter as Reid has been suggesting for months. The counter debuts at a whopping 2029 days.

In December 2006 we provided Tenable with a plugin for Nessus that identified if the Modicon Quantum used what we called at the time a default FTP username/password. These are credentials that can be used to upload and download firmware to the PLC.

Subsequently Ruben Santamarta and Reid independently found a number of additional backdoor accounts in Modicon PLC’s. And Reid informed me we were being generous in 2006 calling the FTP account identified in 2006 as a default issue. In fact it is hardcoded in the firmware.

So in addition to being silent on the Project Basecamp identified insecure by design issues and vulnerabilities for six months, we have Schneider not fixing this hard coded FTP account that allows an attacker to load his own firmware onto the PLC for more than five years! Even apologists who say it takes a long time to correct embedded systems must admit that five years is more than enough time.

PS – Numerous readers have suggested it was premature to take down the Stuxnet clock, and I’m increasingly agreeing with them as we learn more about the new product solution. We should be able to review this more closely as we now have an S7 in Project Basecamp.

Image by saebayro