Nmedia - Fotolia
How are logic devices like WAGO PFC200 used by hackers?
The Department of Homeland Security warned of a vulnerability affecting WAGO PFC200 logic devices. Discover how this flaw enables threat actors with expert Judith Myerson.
The Department of Homeland Security recently issued an advisory about an improper authentication vulnerability in WAGO PFC200 programmable logic devices. What are these WAGO PFC200 logic devices used for, and what is the vulnerability that enables threat actors to use them in attacks?
WAGO PFC200 programmable logic controller (PLC) devices are ultra-compact automation systems based primarily on Linux-based CODESYS Runtime, and they run on multiple communication ports. Users can benefit from their web process visualization of traditional machine control, building automation, lighting technology, power distribution, petrochemical processing, wastewater processing and airport traffic engineering.
For example, food stores use WAGO PFC200 as the main controller for air conditioning. The store headquarters uses the Hakko-Denki Touch Panel Monitor to remotely monitor energy usage by store, as well as staffers who use WAGO's WebVisu mobile application, and the staff who use controller lots for an SD card in a laptop to do remote analysis of process data.
The vulnerability points are in CODESYS Runtime version 2.4.x and earlier, and they could enable an unauthenticated attacker to take over the organization's industrial network.
As was discovered by SEC Consult, the attacker can remotely access a service named pclinuxos. By exploiting certain functions, the attacker can send malicious TCP packets to the default bound port 2455 to change the rules on how data is communicated over a network. A tool from Digital Bond can then be used to write, read and delete arbitrary files.
By default, WAGO PFC200 PLCs enable Secure Socket Shell, which an attacker could use to change the ETC or shadow file of password hashes to allow privileged access to WAGO PFC200 PLC devices.
Skipping a function and other malicious changes in the PLC program during runtime can cause a controller device to misbehave or stop working. In the worst case scenario, an attacker could launch a denial-of-service attack against the organization's network by continuously restarting the device.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)