Google security engineer Billy Rios has publicly disclosed a remote authentication vulnerability in the Siemens SIMATIC software, which is used to control critical infrastructure systems worldwide.
The vulnerability was discovered back in May and was responsibly reported to Siemens, Rios said. However, according to the researcher, who found the bug in his spare time, Siemens recently denied its existence to the press.
“Since Siemens has ‘no open issues regarding authentication bypass bugs,’ I guess it’s OK to talk about the issues we reported in May,” Rios said on his blog on Tuesday. “Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure, but Siemens wouldn’t lie, so I guess there is no authentication bypass.”
One potential security issue Rios claims to exist in Siemens SIMATIC stems from its use of a default administrative password for the Web, VNC (Virtual Network Computing) and Telnet services.
“The default creds [credentials] for the Web interface is ‘Administrator:100’ and the VNC service only requires the user enter the password of ‘100’ (there is no user name),” the researcher said. If administrators are negligent and don’t change these default passwords, attackers could walk right in.
Rios believes that this might be the attack vector used to access a South Houston water utility’s SCADA system without authorization last month. The alleged hacker, who used the online moniker of pr0f, claimed that the system was protected by a three-character password.
If not done properly, changing the default password could also leave systems exposed. That’s because changing the password for the Web interface doesn’t also change it for the VNC service, Rios said. Also, if a user’s password is changed to one that contains special characters, it could automatically be reset to 100 again, he added.
However, according to Rios, the most serious issue is the fact that session tokens generated by the SIMATIC Web HMI (Human Machine Interface) are predictable. As a result, an attacker could generate session tokens and use them to access a system without needing a valid username and password combination.
This poses a serious risk for SIMATIC systems that can be accessed over the Internet. Rios even provided two search queries for Google and SHODAN that expose several such systems.
“No need to worry though, as there are ‘no open issues regarding authentication bypass bugs at Siemens,'” the researcher said.
Siemens did not respond to a request for comment and the U.S. Industrial Control Systems Cyber Emergency Response Team has issued no advisory about these problems yet.