Siemens Software Flaw Threatens Critical Infrastructure

US authorities investigate a vulnerability which resembles the one used by Stuxnet

A US government agency is investigating the claims of a software flaw in industrial networking equipment made by a Siemens subsidiary, that could allow hackers to decrypt SSL traffic between the end-user and network devices.

The flaw could enable cyberterrorists to obtain necessary credentials and sabotage critical infrastructure, such as power plants, energy grids and water mains.

The invisible threat

Security expert Justin Clarke claimed he has found a software flaw in Siemens equipment that could allow hackers to monitor network traffic, at a conference in Los Angeles on Friday. According to Reuters, the flaw was hiding in instruments produced by Canadian RuggedCom, a Siemens subsidiary specialising in networking gear for extreme environments.

Power PlantStuxnet, the infamous Trojan that might have knocked out as many as 1,000 centrifuges at Iran’s nuclear facility in 2010, also used a flaw in Siemens industrial equipment, along with Windows vulnerabilities, to gain control of the computer systems.

On Tuesday, the US Department of Homeland Security has requested RuggedCom to investigate Clarke’s claims and find a solution to the issue. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has been called in to help with the analysis.

All devices running RuggedCom’s operating system use a single hard-coded software key to encrypt communications. Once that key has been “cracked”, it is possible to spy on traffic and obtain credentials needed to issue commands. Clarke says he successfully extracted the key from a piece of equipment he bought on eBay, using nothing but computers in his bedroom.

Again, this bears some resemblance to the default passwords that Stuxnet used to infiltrate Iranian systems, which were the same across all Siemens logical controllers.

This discovery is especially worrying since, according to Clarke, the vulnerability could be used to gain access to systems controlling critical national infrastructure.

ICS-CERT has recommended that users of RuggedCom equipment take defensive measures to decrease the risk of exploitation of these vulnerabilities, such as minimising network exposure for all control system devices, isolating them from the business networks and using firewalls at all times.

“Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents,” concluded an alert issued to infrastructure owners and operators.

Earlier this year, Clarke had discovered another flaw in RuggedCom products that could give hackers using a “back door” account full control of the equipment running company’s proprietary operating system.

How well do you know Internet security? Try our quiz and find out!