DEMO

Abstract

Industrial control systems (ICS) are the systems responsible for the control and operation of both critical national infrastructure (CNI), including oil and gas, water treatment and power generation, aswell as manufacturing processes. ICS are made up of many speciality devices, including programmable logic controllers (PLCs), remote telemetry units (RTUs) and human-machine interfaces (HMIs), with major manufacturers including Siemens, Allen Bradley, Honeywell, Schneider Electric and General Electric. These systems are often referred to as Operational Technology (OT). In ICS, safety is the number one concern, with devices designed to operate reliably for many years. The security of such devices was largely physical - they were designed to sit without an Internet connection behind locked doors. In modern times, however, this is not the case with devices regularly being connected to the Internet. Incidents such as the Stuxnet and Triton malware, which specifically target industrial systems, and legislation such as the European Network and Information Systems (NIS) directive have put the cyber security of industrial systems very much in the focus. As part of this, there are an increasing number of vulnerabilities being discovered, and eventually patched, in industrial devices.Human machine interfaces (HMIs) primarily refer to a physical device which is designed to be installed in physical proximity to an industrial process. HMI screens are programmed to both provide a display of information relating to the physical process below and allow operators to provide inputs to the control system to control and manage physical processes. These screens can vary from a few inches in size up to 'full size' monitors, with modern devices usually featuring a touchscreen, and in some cases a set of physical inputs including buttons and knobs. Most ICS manufacturers produce some range of HMI screens, including Siemens who produce a wide range of these devices.Some HMIs support remote access, which allows operators in a central location to access screens that human operators are unable to access. This provides obvious benefits, allowing engineers to correct issues remotely as well as monitor and control processes. Device manufacturers provide their own methods for this remote access. Communication is usually achieved over network connections, with most modern devices featuring an ethernet port and/or wireless connectivity. In the case of Siemens, the primary method is through the use of the VNC-based Sm@rtServer system available on most of their HMI range, which provides access through a Sm@rtClient application (available for PC, Android and iOS), as well as through third party VNC clients.We discovered a vulnerability in Siemens HMI products that allows an attacker to be able to brute force the Sm@rtServer password. On basic devices, we find that there is no protection against brute forcing the Sm@rtServer, allowing for the use of existing online password cracking tools. We discover that on higher end devices, the Sm@rtServer employs a form of brute-force prevention, which we were able to evade allowing for slightly slower, but still overall successful, brute force attempts. Successfully guessing this password could in some cases grant an attacker full control over the HMI screen, and therefore control over the underlying process, causing a potentially dangerous, life threatening situation. Further, due toca limitation in the VNC protocol, passwords longer than 8 characters are truncated by the clients, which allows an attacker to successfully authenticate to the device with a longer password as long as the first 8 characters are correct, potentially aiding in the brute force attempt.After disclosure to Siemens, this vulnerability has been assigned 2 CVEs - CVE-2020-15786 for the brute force issue and CVE-2020- 15787 for the password truncation issue, both addressed in Siemens Security Advisory (SSA) 524525.A detailed technical report that supplements this demonstration is available on arXiv [1].