Siemens Software Flaw Threatens Critical Infrastructure

A US government agency is investigating the claims of a software flaw in industrial networking equipment made by a Siemens subsidiary, that could allow hackers to decrypt SSL traffic between the end-user and network devices.

The flaw could enable cyberterrorists to obtain necessary credentials and sabotage critical infrastructure, such as power plants, energy grids and water mains.

The invisible threat

Security expert Justin Clarke claimed he has found a software flaw in Siemens equipment that could allow hackers to monitor network traffic, at a conference in Los Angeles on Friday. According to Reuters, the flaw was hiding in instruments produced by Canadian RuggedCom, a Siemens subsidiary specialising in networking gear for extreme environments.

Stuxnet, the infamous Trojan that might have knocked out as many as 1,000 centrifuges at Iran’s nuclear facility in 2010, also used a flaw in Siemens industrial equipment, along with Windows vulnerabilities, to gain control of the computer systems.

On Tuesday, the US Department of Homeland Security has requested RuggedCom to investigate Clarke’s claims and find a solution to the issue. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has been called in to help with the analysis.

All devices running RuggedCom’s operating system use a single hard-coded software key to encrypt communications. Once that key has been “cracked”, it is possible to spy on traffic and obtain credentials needed to issue commands. Clarke says he successfully extracted the key from a piece of equipment he bought on eBay, using nothing but computers in his bedroom.

Again, this bears some resemblance to the default passwords that Stuxnet used to infiltrate Iranian systems, which were the same across all Siemens logical controllers.

This discovery is especially worrying since, according to Clarke, the vulnerability could be used to gain access to systems controlling critical national infrastructure.

ICS-CERT has recommended that users of RuggedCom equipment take defensive measures to decrease the risk of exploitation of these vulnerabilities, such as minimising network exposure for all control system devices, isolating them from the business networks and using firewalls at all times.

“Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents,” concluded an alert issued to infrastructure owners and operators.

Earlier this year, Clarke had discovered another flaw in RuggedCom products that could give hackers using a “back door” account full control of the equipment running company’s proprietary operating system.

How well do you know Internet security? Try our quiz and find out!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

View Comments

  • Hi,

    The send to email function on this web page is broken!

    Have tried to use the email send tool on this web page twice - both times the wrong article was sent.

Recent Posts

Marriott Agrees To Pay $52 Million To Settle Data Breaches

To settle US federal and state claims over multiple data breaches, Marriott International agrees $52…

2 days ago

Tesla Shares Drop After Cybercab Unveiling

Mixed reactions as Elon Musk hypes $30,000 'self driving' robotaxi called Cybercab, as well as…

2 days ago

AMD Launches New AI, Server Chips To Expand Nvidia Challenge

AMD unveils new AI and data centre chips as it seeks to improve challenge to…

3 days ago

Chinese Hackers Breach US Wiretap Systems – Report

AT&T and Verizon among US broadband providers reportedly hacked to target American government wiretapping platform

3 days ago