Backdoor in computer controls opens critical infrastructure to hackers

Software used to manage equipment in power plants, military environments, and nautical ships contains an undocumented backdoor that could allow malicious hackers to access sensitive systems without authorization.

The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands, Reid Wightman, a researcher with security firm ioActive, told Ars. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering.

"There is absolutely no authentication needed to perform this privileged command," Wightman said. "Imagine if your laptop had a service that accepted an unauthenticated 'shutdown' command, and if someone sent it your laptop [would] shut off and you [would lose] all your work. Anybody on the network could shut off your laptop without needing your password. That would suck. And that's the case here."

Of the two specific programmable logic controllers (PLCs) Wightman has tested, both allowed him to issue commands that halted the devices' process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks. He declined to identify the specific models he tested except to say that one ran the Linux operating system on Intel-compatible processors and the other used Microsoft's Windows CE running on ARM chips. Wightman said a quick search using the Shodan computer location service showed 117 devices directly connected to the Internet, but he suspects more detailed queries could turn up many more. A blog post that contains additional vulnerability details says code that automates the exploit is expected to be added to the Metasploit software framework used by hackers and security professionals.

The discovery is the latest example of the security vulnerabilities that threaten power plants and other critical infrastructure both in the United States and elsewhere in the world. The defective software is embedded in thousands or millions of tiny, mission-critical devices that reside in environments that are often hard to reach and are required to run around the clock. So it's often infeasible to update them once patches are available. Adding to the difficulty, most devices require the firmware to be "reflashed," a process that's harder and riskier than a simple software update.

Vulnerabilities in PLCs sold by German conglomerate Siemens opened the door for the Stuxnet worm, which burrowed into Iran's Natanz nuclear facility to damage centrifuges for enriching uranium. The complexity of fixing security bugs in industrial control systems has led to the term "forever day vulnerabilities" because manufacturers often consider the process too difficult to carry out in many environments or on older products.

As their names imply, programmable logic controllers are devices that can be programmed to open valves, flip on switches, and control other physical pieces of machinery based on input they receive from sensors or computers they are connected to. By seizing control of them, hackers can potentially hijack the normal functioning of sensitive equipment in factories, refineries, and other infrastructure that use them. Companies that are advertised as using CoDeSys sell products used in electric grids, military operations, and nautical navigation, among other things.

Wightman said 3S-Smart Software Solutions, the company that designs CoDeSys, recently issued an advisory that recommended users set a password. He said the advice is ineffective because the password doesn't affect access to the backdoor shell, but instead protects code changes to the controller. As a result the hackers can easily circumvent the password protection without knowing the current password by using a backdoor shell command. Ars has asked company officials to comment, and this article will be updated if they respond.