Siemens commits "basic security errors": Byres

Leading US critical infrastructure security consultant Eric Byres has slammed security practices at Siemens following the demonstration of serious security vulnerabilities in their S7 programmable logic controllers (PLCs) at Black Hat 2011.

"To me the most serious and inexcusable security hole is a hardcoded username (Basisk) and password (Basisk) that Siemens engineers had left in many versions of firmware on the S7-300 PLC," Byres writes at his Practical SCADA Security Blog.

Security researcher Dillon Beresford, who discovered the flaws, said he could log into the PLCs via telnet and FTP and then dump memory, delete files and execute commands.

"Letting unnecessary services run on a PLC and the use of hardcoded passwords are both basic security errors. This should have never been allowed through the Siemens development and Quality Assurance process," Byres writes.

Siemens’ commitment to their customers’ security is "abominable", according to Byres.

"What is really sad is that Siemens clearly knew of the hard-coded password vulnerability at least a year ago. Yet they did nothing to address it. They did not create a patch for their users. They did not advise their customers in any way," he writes.

"Hiding known vulnerabilities from your customers for a year and then not preparing even a basic patch or mitigation plan is inexcusable."

Byres says customers should demand to see evidence that vendors have implemented a security development lifecycle (SDL) process, which integrates the consideration of security issues into every aspect of software development.

The SDL model was developed by Microsoft in 2004 as part of their Trustworthy Computing initiative in the wake of a series of high-profile Windows security problems in previous years. SDL is credited with the vast improvement of security in later products such as Microsoft Office 2010 and Windows 7.

Contact Stilgherrian at stil@stilgherrian.com, or follow him on Twitter at @stilgherrian.