Siemens produce a range of industrial human machine interface (HMI) screens which allow operators to both view information about and control physical processes. For scenarios where an operator cannot physically access the screen, Siemens provide the SM@rtServer features on HMIs, which when activated provides remote access either through their own Sm@rtClient application, or through third party VNC client software. Through analysing this server, we discovered a lack of protection against brute-force password attacks on basic devices. On advanced devices which include a brute-force protection mechanism, we discovered an attacker strategy that is able to evade the mechanism allowing for unlimited password guess attempts with minimal effect on the guess rate. This vulnerability has been assigned two CVEs - CVE-2020-15786 and CVE-2020-157867. In this report, we provide an overview of this vulnerability, discuss the impact of a successful exploitation and propose mitigations to provide protection against this vulnerability. This report accompanies a demo presented at CPSIoTSec 2020.
[1]
Heinrich Hußmann,et al.
Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance
,
2014,
NordiCHI.
[2]
Awais Rashid,et al.
Oops I Did it Again: Further Adventures in the Land of ICS Security Testbeds
,
2019,
CPS-SPC@CCS.
[3]
Blase Ur,et al.
How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
,
2012,
USENIX Security Symposium.
[4]
Awais Rashid,et al.
Everything Is Awesome! or Is It? Cyber Security Risks in Critical Infrastructure
,
2019,
CRITIS.
[5]
Blase Ur,et al.
Usability and Security of Text Passwords on Mobile Devices
,
2016,
CHI.