14 DAY TRIAL // In May 2011 a security researcher informed Siemens on the existence of an authentication bypass bug that existed in their SIMATIC systems. While he silently waited for the bug to be resolved, he found out that Siemens completely denies the presence of such a flaw and as a result he decided to publish his findings on his personal blog.
Software security researcher Billy Rios states that he’s been waiting for the bypass issue to be fixed, only to find out from a Reuters reporter that Siemens officially denies that such vulnerabilities exist in their SIMATIC systems.
“Since Siemens has ‘no open issues regarding authentication bypass bugs’, I guess it’s OK to talk about the issues we reported in May. Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure…. but Siemens wouldn’t lie… so I guess there is no authentication bypass,” Rios wrote.
First of all, he said that the default password for SIMATIC systems is “100”, which makes sense if you think about the fact that the hacker who breached the South Houston water utility mentioned something about a three-character password.
“The default creds for the Web interface is ‘Administrator:100’ and the VNC service only requires the user enter the password of ‘100’ (there is no user name). This is likely the vector pr0f used to gain access to South Houston,” he said.
Rios also claims that if a user sets a new password which contains a special character, the password “may automatically be reset to 100”.
Furthermore, if during an administrator login to the Web human machine interface (HMI) the session cookie looks pretty well encrypted and secure, after digging around a bit, the researcher discovered that in reality the cookies are not so random.
All the things he disclosed could have allowed a hacker to gain remote access to a Siemens SIMATIC HMI, the one that controls critical infrastructures around the world, without much difficulty.