Digital Bond has released exploit tools to “do nasty things” to PLCs, such as “stop the CPU [central processing unit] or provide the credentials to control the device”, wrote Reid Wightman in a blog.
The vulnerabilities include a flaw in the EtherNet IP protocol used by IP-enabled PLCs produced by big names such as Allen-Bradley/Rockwell Automation, Schneider Electric, ABB, WAGO, and Omron. About 300 vendors are members of ODVA, the organization that developed the protocol.
“The ‘vulnerability’ is in the protocol specification: no authentication is required per the standard for many commands”, according to Wightman. “Currently you can issue a STOP command (should affect all manufacturers), crash the PLC CPU (probably Allen-Bradley specific, unless other vendors purchased their stack), crash the Ethernet controller (probably Allen-Bradley specific), and reboot the Ethernet controller (should affect all manufacturers).”
In addition to the EtherNet IP protocol vulnerability, Digital Bond released exploit tools to target hard-coded administrative passwords in some versions of Schneider’s Modicon Quantum PLC and brute force password attacks against Koyo’s DirectLogic PLCs because they lack a password lockout feature, Wightman wrote.
Responding to critics of Digital Bond for disclosing vulnerabilities before vendors have a chance to fix them, Wightman said that vendors have been given “forever-and-a-half” to fix the vulnerabilities but have failed to do so.