Ladder-logic software vulnerable to hackers

Feb. 13, 2013
Researchers have discovered a design flaw lets anyone carry out commands without authentication on software called CoDeSys, which is widely used in industrial controls

3S-Smart Software Solutions GmbH
Digital Bond

Researchers have discovered a design flaw lets anyone carry out commands without authentication on software called CoDeSys, which is widely used in industrial controls.

CoDeSys is an IEC 61131-3 software suite from 3S-Smart Software Solutions GmbH, Germany, that runs ladder-logic operations. It is used by over 260 manufacturers to run ladder-logic programs on PLCs, drive controllers, and other industrial controls. The vulnerability was uncovered by the company Digital Bond, Sunrise, Fla., during its Project Basecamp, a research effort to demonstrate the fragility of industrial control systems.

Researchers at Digital Bond used a Wago IPC 758-870 Model PLC as their test unit, but say all systems running CoDeSys PLC software seem affected. The Wago PLC runs embedded Linux on an x86 central-processing unit, but other operating systems such as Nucleus RTOS and Windows CE are also affected. Given the way CoDeSys operates within the OS, manufacturers often run the ladder logic with elevated root or administrator privileges. Or they use an OS that does not have user privilege controls.

One critical point is that the CoDeSys runtime offers a transmission-control-protocol listener service. The listener service typically runs on port 1200, although ports 1201 and 2455 were used on other controllers. Services provided by this listener include a command-line interface where instructions may be sent directly to the ladder-logic runtime service and a file-transfer service that permits downloading and uploading logic files.

Unfortunately, CoDeSys software executes this connection without user authentication. Anyone who knows how can connect through the CoDeSys software to execute commands and transfer files. For example, they can stop and start the running ladder logic, wipe the PLC memory, and list files and directories. As the runtime operates with high-level privileges, all subdirectories and files are accessible, including critical system files such as /etc/passwd and /etc/shadow in Linux and the Window’s registry in CE.

Right now, the only sure way of securing this or any industrial system is to keep it off any network. However, IT staff can make access more secure by placing systems on private networks that can only be entered through specific machines that carry out user authentication.

© 2013 Penton Media, Inc

Sponsored Recommendations

The entire spectrum of drive technology

June 5, 2024
Read exciting stories about all aspects of maxon drive technology in our magazine.


May 15, 2024
Production equipment is expensive and needs to be protected against input abnormalities such as voltage, current, frequency, and phase to stay online and in operation for the ...

Solenoid Valve Mechanics: Understanding Force Balance Equations

May 13, 2024
When evaluating a solenoid valve for a particular application, it is important to ensure that the valve can both remain in state and transition between its de-energized and fully...

Solenoid Valve Basics: What They Are, What They Do, and How They Work

May 13, 2024
A solenoid valve is an electromechanical device used to control the flow of a liquid or gas. It is comprised of two features: a solenoid and a valve. The solenoid is an electric...

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!