Some Security Issues in SCALANCE Wireless Industrial Networks

We discuss some security weaknesses of Scalance wireless access points and clients. These devices, developed by Siemens, are commonly used for wireless communication in network control systems. After the identification of the Stuxnet worm, which targeted PLCs from uranium enrichment facilities in Iran, these devices become of increased interest to the security community. Here we analyze them both in a static environment, at the configuration level, as well as in a dynamic environment where they are used for a remote control scenario. We show some vulnerabilities in both situations, in particular some weaknesses in the authentication protocol from their web-based configuration interface and an attack which halts the communication by using deauthentication packets. As proof-of-concept we simulate the evolution of a process which is controlled over the wireless network and could be seriously affected by an adversary unless a local controller is present for redundancy in case of communication failures.