{"title":"You Are What You Attack: Breaking the Cryptographically Protected S7 Protocol","authors":"Wael Alsabbagh, P. Langendörfer","doi":"10.1109/WFCS57264.2023.10144251","DOIUrl":null,"url":null,"abstract":"S7 protocol defines an appropriate format for exchanging messages between SIMATIC S7 PLCs and their corresponding engineering software i.e., TIA Portal. Recently, Siemens has provided its newer PLC models and their proprietary S7 protocols with a very developed and sophisticated integrity check mechanism to protect them from various exploits e.g., replay attacks. This paper addresses exactly this point, and investigates the security of the most developed integrity check mechanism that the newest S7CommPlus protocol version implements. Our results showed that the latest S7 PLC models as well as their related protocols are still vulnerable. We found that adversaries can manipulate two hashes that play a significant role in generating keys and bytes for the encryption processes implemented in the S7CommPlus protocol. This allows to reproduce S7 packets and conduct several attacks that eventually impact the operation of the target PLC and the entire physical process it controls. To validate our findings, we test all the attack scenarios presented in this work on a cryptographically protected S7 PLC from the 1500 family which uses the S7CommPlusV3 protocol.","PeriodicalId":345607,"journal":{"name":"2023 IEEE 19th International Conference on Factory Communication Systems (WFCS)","volume":"185 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-04-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE 19th International Conference on Factory Communication Systems (WFCS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WFCS57264.2023.10144251","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
S7 protocol defines an appropriate format for exchanging messages between SIMATIC S7 PLCs and their corresponding engineering software i.e., TIA Portal. Recently, Siemens has provided its newer PLC models and their proprietary S7 protocols with a very developed and sophisticated integrity check mechanism to protect them from various exploits e.g., replay attacks. This paper addresses exactly this point, and investigates the security of the most developed integrity check mechanism that the newest S7CommPlus protocol version implements. Our results showed that the latest S7 PLC models as well as their related protocols are still vulnerable. We found that adversaries can manipulate two hashes that play a significant role in generating keys and bytes for the encryption processes implemented in the S7CommPlus protocol. This allows to reproduce S7 packets and conduct several attacks that eventually impact the operation of the target PLC and the entire physical process it controls. To validate our findings, we test all the attack scenarios presented in this work on a cryptographically protected S7 PLC from the 1500 family which uses the S7CommPlusV3 protocol.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
