Tool to Exploit PLCs

Friday, February 10, 2012 @ 03:02 PM gHale

New tools are coming out that can make it easy to test and exploit vulnerable programmable logic controllers (PLCs) and other industrial control systems.

One tool coming out can crack passwords on the common ECOM PLCs by Japan’s Koyo Electronics, said Reid Wightman for Digital Bond.

Tool can Pinpoint Vulnerable ICSes
Symposium Releases Vulnerabilities
Wago, Wellintech Vulnerabilities
GE Hit by Vulnerability

Wightman said the Feb. 14 release would include a “module to brute-force” passwords for Koyo’s ECOM and ECOM100 PLCs. Researchers revealed those devices have limited password space (forcing customers to implement short, weak passwords) and, even worse, no lockout or timeout feature to prevent multiple login attempts used in brute force attacks.

The Koyo ECOM models were among a number of popular brands of PLCs analyzed by leading SCADA security researchers as part of Project Basecamp. They released that information at the S4 conference in Miami in January. Their work revealed significant security issues with every system they tested, with some PLCs too brittle and insecure to even tolerate security scans and probing.

The Koyo ECOM100 modules came with a bundled Web server that contained denial of service and cross site scripting vulnerabilities and an administrative panel an attacker could gain access without authentication.

Organizers already released two modules for the Metasploit and Nessus vulnerability testing tools that can search for vulnerabilities discovered in D20 PLCs made by GE and promised more in February. The Koyo tool will be part of that release.

By marrying their vulnerability research to popular (and free) testing tools, researchers’ goal is to force vendors to fix products they created that are vulnerable and buggy and who have turned a deaf ear to complaints from independent security researchers and customers.

SCADA experts said vendor had to know about the vulnerabilities. These weaknesses came to light during Digital Bond’s S4 Conference in January.

The brute force password tool for the Koyo PLC will allow customers and consultants to test whether installed devices can have their password hacked. However, it may also make the products easier to manage, he said. Documentation on the ECOM PLC suggests lost passwords can’t be reset in the field. Instead, the user must send the device in to the manufacturer to have it reset.

Leave a Reply

You must be logged in to post a comment.