Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features

Critical Architectural Vulnerabilities in Siemens SIMATIC S7-1500 Series Allow for Bypass of All Protected Boot Features

Table of Contents

EXECUTIVE SUMMARY

Architectural vulnerabilities in the Siemens SIMATIC and SIPLUS S7-1500 Series PLC

  • Red Balloonโ€™s research has determined that multiple architectural vulnerabilities exist in the Siemens SIMATIC and SIPLUS S7-1500 series PLC that could allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data.
  • The Siemens custom System-on-Chip (SoC) does not establish an indestructible Root of Trust (RoT) in the early boot process. This includes lack of asymmetric signature verifications for all stages of the bootloader and firmware before execution.
  • Failure to establish Root of Trust on the device allows attackers to load custom-modified bootloader and firmware. These modifications could allow attackers to execute and bypass tamper-proofing and integrity-checking features on the device.
  • Architectural vulnerabilities allow offline attackers not only to decrypt S7-1500 series PLC encrypted firmware, but also to generate arbitrary encrypted firmware that are bootable on more than 100 different Siemens S7-1500 series PLC CPU modules. Furthermore, these vulnerabilities allow attackers to persistently bypass integrity validation and security features of the ADONIS operating system and subsequent user space code.
  • CVE-2022-38773 has been assigned, and a CVSS v3 score of 4.6 was assessed.
  • As exploiting this issue requires physical tampering of the product, Siemens recommends to assess the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware.ย 
  • Siemens has also released new hardware versions for several CPU types of the S7-1500 product family that contain a secure boot mechanism and is working on updated hardware versions for remaining PLC types. See additional information for list of all MLFBs with new hardware architecture.
  • Siemensโ€™ advisory can be found here, and it includes recommendations for its users regarding workarounds and mitigations.
  • These technical findings will be presented at HOST 2023 (IEEE International Symposium on Hardware Oriented Security and Trust) from May 1-4, 2023.

LEARN HOW RED BALLOON CAN HELP YOU ADDRESS THESE VULNERABILITIES WITH ITS ADVANCED PERSISTENT THREAT DETECTION TOOL.

LEARN MORE

INTRODUCTION

Programmable logic controllers (PLCs) are critical embedded devices used in modern industrial environments. The Siemens S7-1500 is an industry-leading, high-performance controller that is considered to possess comprehensive security protections amongst Siemens PLC products.

Over the past 10 years, Red Balloon Security has conducted extensive research on the security of embedded systems including PLCs, protection relays, building automation controllers, networking equipment, telecommunications infrastructure, and satellite ground control system infrastructure. Red Balloonโ€™s previous research that specifically focused on Root of Trust (RoT) implementations resulted in discovery of a vulnerability disclosed in 2019 called โ€œThrangrycatโ€, which allows for persistent bypass of Ciscoโ€™s proprietary secure boot mechanism. Thrangrycat is caused by a series of hardware design flaws within Ciscoโ€™s Trust Anchor module (TAm) that allows an attacker to make persistent modification to the TAm via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Ciscoโ€™s chain of trust at its root.ย 

Red Balloonโ€™s latest research consists of discovering multiple, critical architectural vulnerabilities in the Siemens S7-1500 series that allow for bypass of all protected boot features. This discovery has potentially significant implications for industrial environments as these unpatchable hardware root-of-trust vulnerabilities could result in persistent arbitrary modification of S7-1500 operating code and data. Exploitation of these vulnerabilities could allow offline attackers to generate arbitrary encrypted firmware that are bootable on all Siemens S7-1500 series PLC CPU modules. Furthermore, these vulnerabilities allow attackers to persistently bypass integrity validation and security features of the ADONIS operating system and subsequent user space code. Red Balloon has reported these vulnerabilities to Siemens, and Siemens has confirmed them.

The vulnerabilities exist because the Siemens custom System-on-Chip (SoC) does not establish a tamper proof Root of Trust (RoT) in the early boot process. The Siemens RoT is implemented through the integration of a dedicated cryptographic secure element โ€” the ATECC CryptoAuthentication chip. However, this architecture contains flaws that can be leveraged to compromise the system. Failure to establish a RoT on the device allows attackers to load custom-modified bootloaders and firmware.ย 

The fundamental vulnerabilities — improper hardware implementations of the RoT using dedicated cryptographic-processor — are unpatchable and cannot be fixed by a firmware update since the hardware is physically unmodifiable. To limit the effects of potential exploitation of these vulnerabilities, Red Balloon has recommended several mitigations to Siemens which include: implement runtime integrity attestation; add asymmetric signature check for firmware at bootup scheme; and encrypt the firmware with device specific keys that are generated on individual devices.ย 

Red Balloon has developed an advanced persistent threat detection tool for owners and operators of the Siemens S7-1500 series PLCs to verify whether vulnerable devices have been tampered with or compromised.ย 

LEARN HOW RED BALLOON CAN HELP YOU ADDRESS THESE VULNERABILITIES WITH ITS ADVANCED PERSISTENT THREAT DETECTION TOOL.

LEARN MORE

AFFECTED DEVICES

Siemens released the following list of more than 100 products with this vulnerability with currently no fix available.

  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0)
  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0)
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0)
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0)
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0)
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0)
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0)
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0)
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0)
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0)
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0)
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0)
  • SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0)
  • SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0)
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0)
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0)
  • SIMATIC S7-1500 CPU 1512SP F-1PN (6ES7512-1SK00-0AB0)
  • SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0)
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK00-0AB0)
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0)
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0)
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0)
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0)
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0)
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0)
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0)
  • SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0)
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0)
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0)
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0)
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0)
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0)
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0)
  • SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0)
  • SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0)
  • SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0)
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0)
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0)
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3TN00-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3UN00-0AB0)
  • SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0)
  • SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3FP00-0AB0)
  • SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0)
  • SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0)
  • SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0)
  • SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0)
  • SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
  • SIMATIC S7-1500 CPU 1518-4F PN/DP (6ES7518-4FP00-0AB0)
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
  • SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0)
  • SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0)
  • SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0)
  • SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0)
  • SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0)
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0)
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0)
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0)
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0)
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0)
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0)
  • SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0)
  • SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0)
  • SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0)
  • SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0)
  • SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
  • SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0)

TECHNICAL DETAILS

The ATECC CryptoAuthentication-based RoT hardware implementation is vulnerable and deployed across the Siemens S7-1500 series product line. The firmware gets decrypted in memory and executed each time during bootup. The decryption keys are not built into the firmware itself. Instead, a physical secure element chip — the ATECC108 CryptoAuthentication coprocessor — is used to calculate a decryption seed based on the firmware metadata (header) and the master key inside the secure element. The decryption seed then derives the AES keys for different parts of the encrypted firmware.ย 

However, this ATECC CryptoAuthentication implementation contains flaws that can be leveraged to compromise the integrity of the system. The secure element shared secret is exposed, as shown in Figure 1, which allows attackers to abuse the secure element. The shared secret resides in the device’s nonvolatile storage which can be accessed by attackers. The CryptoAuthentication chip can be used as an oracle to generate the decryption seed which is used to derive AES keys for encrypted firmware. The plaintext bootloader reveals the firmware AES key derivation and decryption scheme.ย 

Figure 1. The vulnerable implementation of Root-of-Trust (RoT) using a secure cryptographic processor. If the shared cryptographic material is captured, adversaries may use the secure cryptographic processor as an oracle to encrypt and decrypt tampered firmware.

ATTACK FLOW

This attack flow allows an attacker to load a custom-modified bootloader and firmware to vulnerable Siemens S7-1500 series PLCs.

  • An attacker can target the vulnerable ATECC secure cryptographic-processor to establish a Root-of-Trust with modified firmware.ย 
  • An attacker with physical access to the device can either attach to the I2C communication bus or extract the physical ATECC chip from the PLCโ€™s PCB to falsely authenticate and use it as an oracle to generate firmware decryption material.ย 
    • The Siemens ADONIS RTOS Firmware and bootloader integrity check is located in the firmware itself (chain of trust) which can be easily bypassed through the attacker’s tampered firmware.
  • The last step is for an attacker to flash the modified firmware onto the device either through NAND flash reprogram or to chain it with an existing remote code execution vulnerability.ย 

SUMMARY

The Siemens S7-1500 series PLCs implement a boot-time firmware validation scheme using a combination of hardware-enabled firmware decryption and binary integrity validation in the Siemens ADONIS operating system. Multiple architectural vulnerabilities exist which allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data. With physical access to a single device, attackers can exploit the vulnerabilities to generate valid AES keys for most of the S7-1500 series firmwares, including the one modified by attackers. The custom-modified firmware can be authenticated and decrypted by the original boot process. By flashing this malicious firmware on a target device, either physically or by exploiting an existing remote code execution vulnerability, attackers could persistently gain arbitrary code execution and potentially circumvent any official security and firmware updates, without the user’s knowledge.

ACKNOWLEDGMENT

Red Balloon would like to thank Siemens for its response in confirming our findings and coordination in the disclosure process.

For further analysis of these vulnerabilities and Siemens S7-1500 series PLCs, pleaseย contact us.

CLICK HERE

Table of Contents

EXECUTIVE SUMMARY

Architectural vulnerabilities in the Siemens SIMATIC and SIPLUS S7-1500 Series PLC

  • Red Balloonโ€™s research has determined that multiple architectural vulnerabilities exist in the Siemens SIMATIC and SIPLUS S7-1500 series PLC that could allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data.
  • The Siemens custom System-on-Chip (SoC) does not establish an indestructible Root of Trust (RoT) in the early boot process. This includes lack of asymmetric signature verifications for all stages of the bootloader and firmware before execution.
  • Failure to establish Root of Trust on the device allows attackers to load custom-modified bootloader and firmware. These modifications could allow attackers to execute and bypass tamper-proofing and integrity-checking features on the device.
  • Architectural vulnerabilities allow offline attackers not only to decrypt S7-1500 series PLC encrypted firmware, but also to generate arbitrary encrypted firmware that are bootable on more than 100 different Siemens S7-1500 series PLC CPU modules. Furthermore, these vulnerabilities allow attackers to persistently bypass integrity validation and security features of the ADONIS operating system and subsequent user space code.
  • CVE-2022-38773 has been assigned, and a CVSS v3 score of 4.6 was assessed.
  • As exploiting this issue requires physical tampering of the product, Siemens recommends to assess the risk of physical access to the device in the target deployment and to implement measures to make sure that only trusted personnel have access to the physical hardware.ย 
  • Siemens has also released new hardware versions for several CPU types of the S7-1500 product family that contain a secure boot mechanism and is working on updated hardware versions for remaining PLC types. See additional information for list of all MLFBs with new hardware architecture.
  • Siemensโ€™ advisory can be found here, and it includes recommendations for its users regarding workarounds and mitigations.
  • These technical findings will be presented at HOST 2023 (IEEE International Symposium on Hardware Oriented Security and Trust) from May 1-4, 2023.

LEARN HOW RED BALLOON CAN HELP YOU ADDRESS THESE VULNERABILITIES WITH ITS ADVANCED PERSISTENT THREAT DETECTION TOOL.

INTRODUCTION

Programmable logic controllers (PLCs) are critical embedded devices used in modern industrial environments. The Siemens S7-1500 is an industry-leading, high-performance controller that is considered to possess comprehensive security protections amongst Siemens PLC products.

Over the past 10 years, Red Balloon Security has conducted extensive research on the security of embedded systems including PLCs, protection relays, building automation controllers, networking equipment, telecommunications infrastructure, and satellite ground control system infrastructure. Red Balloonโ€™s previous research that specifically focused on Root of Trust (RoT) implementations resulted in discovery of a vulnerability disclosed in 2019 called โ€œThrangrycatโ€, which allows for persistent bypass of Ciscoโ€™s proprietary secure boot mechanism. Thrangrycat is caused by a series of hardware design flaws within Ciscoโ€™s Trust Anchor module (TAm) that allows an attacker to make persistent modification to the TAm via FPGA bitstream modification, thereby defeating the secure boot process and invalidating Ciscoโ€™s chain of trust at its root.ย 

Red Balloonโ€™s latest research consists of discovering multiple, critical architectural vulnerabilities in the Siemens S7-1500 series that allow for bypass of all protected boot features. This discovery has potentially significant implications for industrial environments as these unpatchable hardware root-of-trust vulnerabilities could result in persistent arbitrary modification of S7-1500 operating code and data. Exploitation of these vulnerabilities could allow offline attackers to generate arbitrary encrypted firmware that are bootable on all Siemens S7-1500 series PLC CPU modules. Furthermore, these vulnerabilities allow attackers to persistently bypass integrity validation and security features of the ADONIS operating system and subsequent user space code. Red Balloon has reported these vulnerabilities to Siemens, and Siemens has confirmed them.

The vulnerabilities exist because the Siemens custom System-on-Chip (SoC) does not establish a tamper proof Root of Trust (RoT) in the early boot process. The Siemens RoT is implemented through the integration of a dedicated cryptographic secure element โ€” the ATECC CryptoAuthentication chip. However, this architecture contains flaws that can be leveraged to compromise the system. Failure to establish a RoT on the device allows attackers to load custom-modified bootloaders and firmware.ย 

The fundamental vulnerabilities — improper hardware implementations of the RoT using dedicated cryptographic-processor — are unpatchable and cannot be fixed by a firmware update since the hardware is physically unmodifiable. To limit the effects of potential exploitation of these vulnerabilities, Red Balloon has recommended several mitigations to Siemens which include: implement runtime integrity attestation; add asymmetric signature check for firmware at bootup scheme; and encrypt the firmware with device specific keys that are generated on individual devices.ย 

Red Balloon has developed an advanced persistent threat detection tool for owners and operators of the Siemens S7-1500 series PLCs to verify whether vulnerable devices have been tampered with or compromised.ย 

LEARN HOW RED BALLOON CAN HELP YOU ADDRESS THESE VULNERABILITIES WITH ITS ADVANCED PERSISTENT THREAT DETECTION TOOL.

LEARN MORE
AFFECTED DEVICES

Siemens released the following list of more than 100 products with this vulnerability with currently no fix available.

  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0)
  • SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0)
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0)
  • SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0)
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0)
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0)
  • SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0)
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0)
  • SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0)
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0)
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0)
  • SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0)
  • SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0)
  • SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0)
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0)
  • SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0)
  • SIMATIC S7-1500 CPU 1512SP F-1PN (6ES7512-1SK00-0AB0)
  • SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0)
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK00-0AB0)
  • SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0)
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0)
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0)
  • SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0)
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0)
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0)
  • SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0)
  • SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0)
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0)
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0)
  • SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0)
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0)
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0)
  • SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0)
  • SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0)
  • SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0)
  • SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0)
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0)
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0)
  • SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3TN00-0AB0)
  • SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3UN00-0AB0)
  • SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0)
  • SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3FP00-0AB0)
  • SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0)
  • SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0)
  • SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0)
  • SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0)
  • SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0)
  • SIMATIC S7-1500 CPU 1518-4F PN/DP (6ES7518-4FP00-0AB0)
  • SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0)
  • SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0)
  • SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0)
  • SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0)
  • SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0)
  • SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0)
  • SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0)
  • SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0)
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0)
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0)
  • SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0)
  • SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0)
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0)
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0)
  • SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0)
  • SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0)
  • SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0)
  • SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0)
  • SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0)
  • SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0)
  • SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0)
  • SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0)
  • SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0)
  • SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0)
TECHNICAL DETAILS

The ATECC CryptoAuthentication-based RoT hardware implementation is vulnerable and deployed across the Siemens S7-1500 series product line. The firmware gets decrypted in memory and executed each time during bootup. The decryption keys are not built into the firmware itself. Instead, a physical secure element chip — the ATECC108 CryptoAuthentication coprocessor — is used to calculate a decryption seed based on the firmware metadata (header) and the master key inside the secure element. The decryption seed then derives the AES keys for different parts of the encrypted firmware.ย 

However, this ATECC CryptoAuthentication implementation contains flaws that can be leveraged to compromise the integrity of the system. The secure element shared secret is exposed, as shown in Figure 1, which allows attackers to abuse the secure element. The shared secret resides in the device’s nonvolatile storage which can be accessed by attackers. The CryptoAuthentication chip can be used as an oracle to generate the decryption seed which is used to derive AES keys for encrypted firmware. The plaintext bootloader reveals the firmware AES key derivation and decryption scheme.ย 

Figure 1. The vulnerable implementation of Root-of-Trust (RoT) using a secure cryptographic processor. If the shared cryptographic material is captured, adversaries may use the secure cryptographic processor as an oracle to encrypt and decrypt tampered firmware.
ATTACK FLOW

This attack flow allows an attacker to load a custom-modified bootloader and firmware to vulnerable Siemens S7-1500 series PLCs.

  • An attacker can target the vulnerable ATECC secure cryptographic-processor to establish a Root-of-Trust with modified firmware.ย 
  • An attacker with physical access to the device can either attach to the I2C communication bus or extract the physical ATECC chip from the PLCโ€™s PCB to falsely authenticate and use it as an oracle to generate firmware decryption material.ย 
    • The Siemens ADONIS RTOS Firmware and bootloader integrity check is located in the firmware itself (chain of trust) which can be easily bypassed through the attacker’s tampered firmware.
  • The last step is for an attacker to flash the modified firmware onto the device either through NAND flash reprogram or to chain it with an existing remote code execution vulnerability.ย 
SUMMARY

The Siemens S7-1500 series PLCs implement a boot-time firmware validation scheme using a combination of hardware-enabled firmware decryption and binary integrity validation in the Siemens ADONIS operating system. Multiple architectural vulnerabilities exist which allow attackers to bypass all protected boot features, resulting in persistent arbitrary modification of operating code and data. With physical access to a single device, attackers can exploit the vulnerabilities to generate valid AES keys for most of the S7-1500 series firmwares, including the one modified by attackers. The custom-modified firmware can be authenticated and decrypted by the original boot process. By flashing this malicious firmware on a target device, either physically or by exploiting an existing remote code execution vulnerability, attackers could persistently gain arbitrary code execution and potentially circumvent any official security and firmware updates, without the user’s knowledge.

ACKNOWLEDGMENT

Red Balloon would like to thank Siemens for its response in confirming our findings and coordination in the disclosure process.

For further analysis of these vulnerabilities and Siemens S7-1500 series PLCs, pleaseย contact us.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.

LEVERAGE OUR EXPERTISE FOR YOUR SECURITY NEEDS

Reach out to learn more about our embedded security offering and to schedule a demo.