PLCs are used in factories and control rooms to drive the machinery that drives the economy. Many are programmed in the ladder logic programming language. As with all software, this code periodically needs to be updated, changed or amended. This is often achieved via the CoDeSys software. The CoDeSys Programming Tool is free from Smart Software Solutions, and can be used for any industrial controller that has the CoDeSys runtime kernel installed. “This proven tool which is already in use by more than 300 OEM customers worldwide acts as a development environment for CoDeSys SP thus ensuring high user stability and safety,” says Smart Software Solutions.
But security researcher Reid Wightman, now with ioActive, says CoDeSys contains a backdoor that grants a command shell to anyone who knows the correct syntax. “There is,” he says, “absolutely no authentication needed to perform this privileged command.”
It was access to the PLCs that allowed the Stuxnet attack on the Iranian nuclear facility – an attack that is generally considered to have caused severe damage that disrupted the Iranian nuclear program for many months. However, since the CoDeSys programming tool is free, it could be downloaded from Smart Software Solutions and used to remotely hack into any industrial controller that is internet enabled.
According to Ars Technica the supplier has recently issued an advisory recommending that users set a password, but Wightman says the advice is ineffective because it only protects code changes, not the backdoor. “As a result the hackers can easily circumvent the password protection without knowing the current password by using a backdoor shell command.”
It would be no understatement to say that the security industry is aghast. “It’s depressing that we're still seeing evidence of a gulf between ICS supplier thought processes and security-aware thought processes,” ESET’s David Harley told Infosecurity. It’s as if people think security only applies to consumers and big companies with secrets to steal, but isn’t relevant to critical installations. “It's the 21st century,” he added. “The online world has crept into all sorts of unexpected nooks and crannies.”
Trend Micro’s Rik Ferguson is of the same opinion. He told Infosecurity that this is “yet another example of the two important failings surrounding SCADA implementations: firstly that too often these systems, or important components of these systems, are not designed with security in mind – they are designed from the mindset that security is someone else's problem; and secondly, systems and networks that should never be connected to the public internet for reasons of security are often connected in exactly that way for reasons of convenience.”
“If any system suffers from [such problems] then it is clear that a thorough security audit has not taken place, and should be undertaken as a matter of priority - however inconvenient it may be,” adds Graham Cluley of Sophos.
The only short-term solution is the inconvenient disconnection of all ICS from the internet – but it’s still worth remembering that Stuxnet leapt from the internet to a disconnected Iranian control system.