Ladder-logic software vulnerable to hackers

Feb. 13, 2013
Researchers have discovered a design flaw lets anyone carry out commands without authentication on software called CoDeSys, which is widely used in industrial controls

Resources:
3S-Smart Software Solutions GmbH
Digital Bond

Researchers have discovered a design flaw lets anyone carry out commands without authentication on software called CoDeSys, which is widely used in industrial controls.

CoDeSys is an IEC 61131-3 software suite from 3S-Smart Software Solutions GmbH, Germany, that runs ladder-logic operations. It is used by over 260 manufacturers to run ladder-logic programs on PLCs, drive controllers, and other industrial controls. The vulnerability was uncovered by the company Digital Bond, Sunrise, Fla., during its Project Basecamp, a research effort to demonstrate the fragility of industrial control systems.

Researchers at Digital Bond used a Wago IPC 758-870 Model PLC as their test unit, but say all systems running CoDeSys PLC software seem affected. The Wago PLC runs embedded Linux on an x86 central-processing unit, but other operating systems such as Nucleus RTOS and Windows CE are also affected. Given the way CoDeSys operates within the OS, manufacturers often run the ladder logic with elevated root or administrator privileges. Or they use an OS that does not have user privilege controls.

One critical point is that the CoDeSys runtime offers a transmission-control-protocol listener service. The listener service typically runs on port 1200, although ports 1201 and 2455 were used on other controllers. Services provided by this listener include a command-line interface where instructions may be sent directly to the ladder-logic runtime service and a file-transfer service that permits downloading and uploading logic files.

Unfortunately, CoDeSys software executes this connection without user authentication. Anyone who knows how can connect through the CoDeSys software to execute commands and transfer files. For example, they can stop and start the running ladder logic, wipe the PLC memory, and list files and directories. As the runtime operates with high-level privileges, all subdirectories and files are accessible, including critical system files such as /etc/passwd and /etc/shadow in Linux and the Window’s registry in CE.

Right now, the only sure way of securing this or any industrial system is to keep it off any network. However, IT staff can make access more secure by placing systems on private networks that can only be entered through specific machines that carry out user authentication.

© 2013 Penton Media, Inc

Sponsored Recommendations

June 27, 2025
Ensure workplace safety and compliance with our comprehensive Lockout/Tagout (LOTO) Safety Training course. Learn critical procedures to prevent serious injuries.
June 27, 2025
Join our expert webinar to discover essential safety control measures and best practices for engineering a truly safe and compliant industrial environment.
June 25, 2025
An innovative aircraft with electric drives combines the best of both worlds. The cross between drone and helicopter could mean significantly faster and more efficient air emergency...
June 25, 2025
Effective when other materials fail, ceramics are particularly suitable for applications requiring wear and chemical resistance, sliding characteristics or biocompatibility. Discover...

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!