Technical Report: Gone in 20 Seconds -- Overview of a Password Vulnerability in Siemens HMIs

TL;DR

This paper uncovers a password vulnerability in Siemens HMIs that allows unlimited guessing attacks, even on devices with brute-force protections, highlighting significant security risks and proposing mitigations.

Contribution

It identifies and analyzes a critical password vulnerability in Siemens HMIs, including an attack strategy to bypass brute-force protections, and suggests security improvements.

Findings

Vulnerability allows unlimited password guesses on Siemens HMIs

Attack strategy bypasses brute-force protections

Mitigations can prevent exploitation

Abstract

Siemens produce a range of industrial human machine interface (HMI) screens which allow operators to both view information about and control physical processes. For scenarios where an operator cannot physically access the screen, Siemens provide the SM@rtServer features on HMIs, which when activated provides remote access either through their own Sm@rtClient application, or through third party VNC client software. Through analysing this server, we discovered a lack of protection against brute-force password attacks on basic devices. On advanced devices which include a brute-force protection mechanism, we discovered an attacker strategy that is able to evade the mechanism allowing for unlimited password guess attempts with minimal effect on the guess rate. This vulnerability has been assigned two CVEs - CVE-2020-15786 and CVE-2020-157867. In this report, we provide an overview of this vulnerability, discuss the impact of a successful exploitation and propose mitigations to provide protection against this vulnerability. This report accompanies a demo presented at CPSIoTSec 2020.