

Reversing Industrial Firmware for Fun and Backdoors I - Devko
http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1

======
joelhaasnoot
Surprise surprise...

PLC and other industrial software is a long way behind in terms of "software
engineering". A college classmate did a graduation project/internship figuring
out how to do version control and modularize PLC programs with device drivers.

~~~
YetAnotherAlias
What makes you think that the engineering teams in companies like Siemens,
Rockwell Automation, Mitsubishi, GE etc. are "a long way behind in terms of
'software engineering'"? It is extremely misguided to think that all the
thousands of engineers working in the Industrial Automation field are somehow
behind others. I guess most of the HN crowd has very little exposure to the
technologies in this field and most people probably consider this field
uncool. But that doesn't mean the engineers working on these technologies are
dumb and lagging behind others.

~~~
munin
> What makes you think that the engineering teams in companies like Siemens,
> Rockwell Automation, Mitsubishi, GE etc. are "a long way behind in terms of
> 'software engineering'"?

data.

[http://embeddedgurus.com/barr-code/2010/09/the-sad-state-
of-...](http://embeddedgurus.com/barr-code/2010/09/the-sad-state-of-embedded-
software-process/)

I was in a class taught by this guy and I seem to recall him saying that a
large (20-40%) of embedded developers he surveyed reported using _no_
_version_ _control_ _software_.

and look at some of the responses in that thread!

"I think that gcc -Wall -Wextra can be subtituted by lint tool (if you use
gcc)."

~~~
barik
"I was in a class taught by this guy and I seem to recall him saying that a
large (20-40%) of embedded developers he surveyed reported using no version
control software."

Yeah, but that's a vendor issue; it's not that the Engineers don't want to use
version control.

We'd like to, for example, but we usually can't. All of the file formats for
these PLC tools are binary blobs, and since the language is usually a
graphical language (ladder logic) the conventional idea of diff is pretty
meaningless unless someone writes a proprietary version control to handle the
binary blobs + representing ladder logic through diffs.

We still try to use it, but we lose most of the benefits. I suppose you still
get a changelog, but you can't ever merge branches since merging binary blobs
with binary blobs will not go well for you.

~~~
AndrewDucker
You get a change log, a central repository, and the ability to roll back to
previous versions.

That's pretty valuable, even without the ability to merge.

~~~
barik
It's not really as useful as you make it out to be, since PLC code doesn't
exist in isolation; there is __usually__ corresponding hardware. Unless you
plan on magically "rolling back the hardware" changes as well, rolling back
the software isn't all that useful in practice. Even if you can, changes are
not made by any one vendor. Plant modifications happen all the time, so it's
more often the case that you just end up uploading directly from the
controller itself to see what the latest code is. I don't really have a good
solution to that.

The exception of course is some very large companies that do everything in
house.

~~~
anamax
> It's not really as useful as you make it out to be, since PLC code doesn't
> exist in isolation; there is __usually__ corresponding hardware.

You never change the SW without changing the hardware?

Wowsers. No new features and no bugs.

------
DanBC
> _Despite I'm releasing this information when there is still no patch
> available, It has been my decission. I reported it to the ICS-CERT months
> ago, I would like to thank the ICS-CERT and the Schneider security team,
> they have taken these issues very seriously and are working on a patch.
> During the process they have been keeping me updated on every
> decission/progress. However, time ago I decided to change my disclosure
> policy._

That's a lousy disclosure policy.

~~~
dguido
Playing devil's advocate: As the title says, the vendor included backdoors in
the application. I'm not sure I can trust them and their clearly irresponsible
development practices to patiently wait for them to handle this on their own.

~~~
barik
Almost all PLCs have back doors. Just because it uses Ethernet doesn't mean it
does anything fancy. Almost all the PLCs I am aware of simply wrap existing RS
232 protocols over IP from the 80s and even earlier. Most of the plants
actually seem to want these back doors, because downtime at a production
facility is incredibly expensive.

PLCs are not designed to externally accessible, ever. The back doors are
completely irrelevant anyway given that the PLC will accept any packet from
anywhere, and perform the operation. The RS-232 commands are functions such as
"enable bit", "disable bit", "set value", "read value", for actuating inputs
and outputs.

~~~
joelhaasnoot
Someone forgot to tell the water pump engineers that in Illinois

