Claroty’s Team82 researchers discovered a method to extract private encryption keys from Siemens industrial devices and compromise whole Siemens product lines.
The cybersecurity firm explained that Siemens introduced the practice of storing global hard-coded cryptographic keys a decade ago to guarantee software and hardware integrity.
The Munich, Germany-based manufacturer opted to hardcode the credentials to save users and integrators from the complexities of key management systems, which did not exist at the time for industrial systems.
However, technological advances and the ever-growing threat landscape made the practice unsafe, posing an unacceptable risk.
The insufficiently protected credentials critical vulnerability CVE-2022-38465 (CVSSv3 9.3) could allow attackers to discover the global private key by an offline attack.
Subsequently, they could perform multiple advanced attacks against Siemens SIMATIC S7-1200, S7-1500 PLCs (programmable logic controllers), and related products, allowing a complete takeover.
“The key, if extracted by an attacker, would give them full control over every PLC per affected Siemens product line.”
Claroty warned that the attacks could cause irreparable compromise of the impacted industrial devices.
“A malicious actor could use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way.”
A threat actor could leverage hardcoded encryption keys to bypass all protection levels and perform sophisticated attacks on industrial devices.
This exploit is invaluable for nation-state attackers interested in cyber warfare against adversaries’ critical infrastructure.
“An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access level protections.”
Similarly, an attacker could create a rogue Siemens SIMATIC client bypassing the TIA portal. This exploit could grant them persistence and control of industrial devices for follow-on attacks, including data exfiltration and malware distribution.
“In addition, an attacker can develop an independent Siemens SIMATIC client (without requiring the TIA Portal) and perform full upload/download procedures, conduct man-in-the-middle attacks, and intercept and decrypt passive OMS+ network traffic,” the researchers said.
Claroty had discovered a similar authentication bypass vulnerability CVE-2021-22681 in Rockwell Automation PLCs, allowing a remote attacker to upload code, download data from industrial devices, and potentially install new firmware.
Previous vulnerability in Siemens devices leveraged
Claroty extracted the private encryption keys by leveraging a previous vulnerability, CVE-2020-15782, to bypass native memory protections, gain read and write privileges in protected areas and perform remote code execution.
“This new knowledge allowed us to implement the full protocol stack, encrypt and decrypt protected communication, and configurations.”
According to Saeed Abbasi, Manager of Vulnerability Signatures at Qualys, hardcoded encryption keys are prone to disclosure, thus undermining the system’s security.
“These types of cryptographic keys are intended to remain secret, and can be utilized for data encryption, integrity protection and identity verification.”
Siemens uses “per family” and “per-model” encryption keys to secure configurations, maintain code integrity, perform authentication, and encrypt communications.
However, the first attack stage requires an offline attack because the family encryption key resides in the CPU, not the firmware. Nevertheless, extracting this key exposes a whole device line.
New public-key infrastructure to eliminate hardcoded private keys
Claroty shared its findings with Siemens, which released new versions of the programmable logic controllers to address the vulnerability.
Additionally, Siemens introduced a new dynamic public-key infrastructure (PKI) that eliminates the practice of hardcoding encryption keys.
The new infrastructure generates encryption keys based on each device’s password and uses TLS v1.3 for PG/PC and HMI communication.
Subsequently, the industrial devices manufacturer advised organizations to migrate from legacy systems to the new versions free of the Insufficiently Protected Credentials vulnerability.
“Siemens recommends to update both the affected products as well as the corresponding TIA Portal project to the latest versions,” Siemens’ advisory read.
The industrial devices manufacturer also explained that dynamic key management and key distribution technologies for industrial control systems did not exist at the inception of its architecture.
“The additional operational effort that key management solutions impose for integrators and customers was not justifiable.”
Bryan Cunningham, Advisory Council Member at Theon Technology, warned against “sleeping on your encryption system” because attackers relentlessly find exploits.
“This disclosure is a sober reminder that any encryption-based security architecture is: (1) only as secure as the management of the keys on which it is based; and (2) even if state-of-the-art at the time of design and implementation, can become vulnerable over time and based on newly evolving attack techniques,” Cunningham said.
Mike Parkin, a Senior Technical Engineer at Vulcan Cyber, said that OT vulnerabilities could wreak havoc depending on the device role and the deployment area.
“Attacks against devices like these Siemens PLCs (Programable Logic Controllers) can be serious depending on where they’re deployed. Hopefully, when these are deployed in a “critical infrastructure” role, they’re protected by additional layers of security which would blunt a remote attack,” Parkin concluded.