breaking siemens simatic s7 plc protection mechanism
TRANSCRIPT
![Page 1: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/1.jpg)
Breaking Siemens SIMATIC S7 PLC Protection Mechanism
Gao JianNSFOCUS,GEWU Lab
TRACK 4
![Page 2: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/2.jpg)
Who am I ?
• Gao Jian
• ICS security researcher at NSFCOUS
• Focused on PLC and SCADA vulnerability exploitation & security enhancement
• Acknowledged by Schneider, Codesys, Siemens and etc.
• Contact> [email protected]
![Page 3: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/3.jpg)
Agenda
• Introduction• Bypass S7-200 PLC protection: Desoldering the flash• Bypass S7-200 Smart PLC protection:Traffic Sniffing• Bypass S7-300/400 PLC protection: Find key in *.dbt file• Bypass S7-1200 PLC protection:Pass The Hash• How to protect PLC better
![Page 4: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/4.jpg)
Introduction• SIMATIC is a series of programmable logic controller and automation systems,
developed by Siemens.
• SIMATIC PLCs are widely used worldwide, typically in control scenarios for critical information infrastructures, such as energy, water, power and etc.
![Page 5: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/5.jpg)
Why?• Obtain the protected application program - the core intellectual property.
• We can perform various sensitive operations(execute upload program, download program, start, stop and etc.)after breaking the protection mechanism.
![Page 6: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/6.jpg)
Bypass S7-200 PLC protection
• The program cannot be uploaded even if the correct password is entered
• We focus on breaking level 4 password protection
![Page 7: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/7.jpg)
Level 4 protection mechanismEnable level 4 protection in
the system block
Simple XOR algorithm
Compile and download system blocks to the controller
System block is saved into EEPROM
![Page 8: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/8.jpg)
Desoldering the flashDesoldering the flash, read the flash, change 1-byte password level field, and download original system block parameters.
Access levelnihao123
![Page 9: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/9.jpg)
How to bypass the 2-byte CRC checksum
Extract the system block parameters from the original bin file, download the system block parameters, and the controller recalculates the correct 2-byte checksum.
![Page 10: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/10.jpg)
Bypass S7-200 Smart PLC protection
• Interception of communication traffic using MITM attacks
• Breaking protection by finding the key hidden in the traffic
![Page 11: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/11.jpg)
Authentication algorithm analysisClient sends
authentication request
PLC responds with the 22-byte challenge
Client computes hash and sends to the PLC
PLC ensures the client responded correctly
pwd PLC responds to the 22-byte challenge:rkey
X=SHA-1(rkey[0:2]+pwd)
hardcode_key[12:14]=rkey[0:2]
HMAC-SHA-1(X+Y, hardcode_key)
Y=rkey[2:22]
Hash( Client send to PLC)
![Page 12: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/12.jpg)
Authentication algorithm analysis
Reversing STEP7 Micro/WIN SMARTcommL7.dll
I have implemented a script to calculate the hash
![Page 13: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/13.jpg)
Brute force password
Extract the Challenge & Response pair from the traffic and then Brute-force the password
![Page 14: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/14.jpg)
Bypass S7-300/400 PLC protection
• online brute-force attack
• Decrypt password in the project file
![Page 15: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/15.jpg)
Decrypt password in the project file…/hOmSave7/S7HK31AX/HATTRME1.DBT
…/S7BIN/S7HKCOMX.dll
![Page 16: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/16.jpg)
Bypass S7-1200 PLC protection
• Breaking S7-1200 PLC protection—data integrity checking & verification/protocol encryption
• Pass the hash
![Page 17: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/17.jpg)
Memory Dump
Exploiting UART vulnerabilities to dump memory
Desoldering the flash to extract firmware& application data
![Page 18: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/18.jpg)
Analysis of memory
The size of memory is 128M, starting with BootLoader, followed by firmware & application data
![Page 19: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/19.jpg)
Locate the password hashReverse OMSp_core_managed.dll, the password hash algorithm is SHA-1
HMI access protection password hash
Read access protection password hash
Full access protection password hash
![Page 20: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/20.jpg)
Pass the Hash
S7-1215C(firmware V4.5.0)
TIA V16
upload an access protection project
![Page 21: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/21.jpg)
About firmware V4.5.0
TIA V13
S7-1215C(firmware V4.5.0)
Download a project with access protection enabled
TIA V14~V16
No password required, We can upload the password-
protected project!!!
As of May 20, 2021, there is no official download address or information available for TIA Portal With Step 7 V17 Basic or Professional software.
TIA V13 project +firmware V4.5.0=access protection failed!!!
![Page 22: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/22.jpg)
How to protect PLC better
PLC Configurator• Use code virtualization protection
technology to increase the cost-effectiveness of reverse
• Add Mutual authentication
• Use encryption techniques to enhance the protection of application project files
• ……
Communication Protocol
PLC
• sensitive information should be stored in a trust zone, where it is reinforced
• Add Mutual authentication• Password must meet complexity
requirements policy• Use physical hardware protection
technology to prevent reverse engineering and soldering
• ……
![Page 23: Breaking Siemens SIMATIC S7 PLC Protection Mechanism](https://reader030.vdocument.in/reader030/viewer/2022012016/615ade810b32bc6b33689c1b/html5/thumbnails/23.jpg)
Thank YouFor your attention