Ladder-logic software vulnerable to hackers

Feb. 13, 2013
Researchers have discovered a design flaw lets anyone carry out commands without authentication on software called CoDeSys, which is widely used in industrial controls

Resources:
3S-Smart Software Solutions GmbH
Digital Bond

Researchers have discovered a design flaw lets anyone carry out commands without authentication on software called CoDeSys, which is widely used in industrial controls.

CoDeSys is an IEC 61131-3 software suite from 3S-Smart Software Solutions GmbH, Germany, that runs ladder-logic operations. It is used by over 260 manufacturers to run ladder-logic programs on PLCs, drive controllers, and other industrial controls. The vulnerability was uncovered by the company Digital Bond, Sunrise, Fla., during its Project Basecamp, a research effort to demonstrate the fragility of industrial control systems.

Researchers at Digital Bond used a Wago IPC 758-870 Model PLC as their test unit, but say all systems running CoDeSys PLC software seem affected. The Wago PLC runs embedded Linux on an x86 central-processing unit, but other operating systems such as Nucleus RTOS and Windows CE are also affected. Given the way CoDeSys operates within the OS, manufacturers often run the ladder logic with elevated root or administrator privileges. Or they use an OS that does not have user privilege controls.

One critical point is that the CoDeSys runtime offers a transmission-control-protocol listener service. The listener service typically runs on port 1200, although ports 1201 and 2455 were used on other controllers. Services provided by this listener include a command-line interface where instructions may be sent directly to the ladder-logic runtime service and a file-transfer service that permits downloading and uploading logic files.

Unfortunately, CoDeSys software executes this connection without user authentication. Anyone who knows how can connect through the CoDeSys software to execute commands and transfer files. For example, they can stop and start the running ladder logic, wipe the PLC memory, and list files and directories. As the runtime operates with high-level privileges, all subdirectories and files are accessible, including critical system files such as /etc/passwd and /etc/shadow in Linux and the Window’s registry in CE.

Right now, the only sure way of securing this or any industrial system is to keep it off any network. However, IT staff can make access more secure by placing systems on private networks that can only be entered through specific machines that carry out user authentication.

© 2013 Penton Media, Inc

Sponsored Recommendations

NEW Low Profile, Ultra Compact Power Supplies

March 13, 2024
Learn more HERE about Altech's Power supplies!

Altech's Liquid Tight Strain Relifs Catalog

March 13, 2024
With experienced Product Engineers and Customer Service personnel, Altech provides solutions to your most pressing application challenges. All with one thought in mind - to ensure...

Industrial Straight-Through Cable Gland

March 13, 2024
Learn more about Altech's cable glands and all they have to offer for your needs!

All-In-One DC-UPS Power Solutions

March 13, 2024
Introducing the All-In-One DC-UPS, a versatile solution combining multiple functionalities in a single device. Serving as a power supply, battery charger, battery care module,...

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!