According to Dark Reading, Siemens will release security updates in January to fix product vulnerabilities in the wake of public disclosure of vulnerabilities that could let an attacker take over a control system without need of a username or password. Billy Rios posted details in his blog of some of the vulnerabilities he and Terry McCorke found and reportedin May.
Siemens confirmed it was in the process of fixing the flaws after initially denying their existence. Riosclaims to have reported roughly 1,000 bugs in industrial control system products during the past few years, and decided to go public after a Siemens PR representative told a reporter that the company had no outstanding bug reports.
He went public with the authentication bypass bug as well as two other issues: Simatic uses a default password, and changing that password to one containing a special character (question mark, exclamation point, etc.), the password automatically reverts back without the user’s knowledge. That default password likely aided the hacker “prof,” who accessed the water utility system in South Houston.
A Siemens spokesperson says it was all a big misunderstanding. The firm had no intention of denying vulnerabilities it was working on. Siemens issued a statement on its website: “Siemens was notified by IT experts about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels. We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.”