SSA-240718 (Last Update: 2020-02-10): Insecure storage of HTTPS CA certificate in SIMATIC S7-1200 V2.x

Published

2020-02-10 00:00:00 UTC

Summary

For the convenience of the customer, a Certificate Authority (CA) for HTTPS connections is installed on the Siemens SIMATIC S7-1200 PLC. The user has the option to trust this CA which if selected installs the certificate into the browser’s certificate store. Once the user completes this step, the browser will trust any other S7-1200 V2.x PLC on the network.

A researcher has demonstrated the ability to obtain the private key of the S7-1200 CA ("SIMATIC CONTROLLER"). With this private key, an attacker is able to create his own certificate. Using this forged certificate, it is possible to spoof any SSL server certificate and conduct man-in-the-middle attacks on a user’s browser that is currently trusting this CA.