14 DAY TRIAL // A few days back we saw how security researcher Billy Rios got angry at Siemens after the company claimed that no authorization bypass flaws were present in their SIMATIC systems. Now, Siemens came forward with a statement reporting that they’re planning to fix the vulnerabilities next month.
Rios became upset last week after he’d found out from a Reuters reporter that Siemens officially denied knowing of the authentication flaws he had disclosed to them earlier this year. After the scandal broke out, the SCADA components manufacturer released an official comment.
“Siemens was notified by IT experts (Billy Rios and Terry McCorke) about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels (TP, OP, MP, Comfort),” the company said.
“We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012.”
They also state that on December 2011 other vulnerabilities had been reported as well, all of them being currently investigated.
Finally, in an attempt to clean their stained reputation, the industrial giant thanks Rios and Terry McCorke for reporting the vulnerabilities.
This comes after Rios highlighted some major weaknesses in the way SIMATIC systems were protected. He showed the default three character passwords used by the web interface and other serious issues that could allow a hacker to easily take over a component of a company’s infrastructure.
The researcher also wanted to teach other companies “a lesson on how NOT to treat security researchers who have been freely providing you security advice and have been quietly sitting for half a year on remote authentication bypasses for your products.”