Debug7: Leveraging a Firmware Modification Attack for Remote Debugging of Siemens S7 PLCs

Researchers demonstrated firmware modification attacks and remote debugging capabilities on Siemens S7 PLCs by exploiting vulnerabilities in the hypervisor and software PLC components

The PLCs run on a dual operating system architecture with a bare metal hypervisor managing a Windows OS and a software PLC OS, but isolation between these systems can be bypassed

A major vulnerability allows replacing both the hypervisor and software PLC files through simple drag-and-drop in Windows, with changes persisting across reboots

Researchers developed a custom debugger and C2 server to:

• Inject commands into the PLC during runtime
• Extract runtime information through CSS file manipulation
• Add malicious code sections with read/write/execute privileges
• Leak register contents and debug data

Security issues discovered include:

• Lack of secure boot chain
• No firmware integrity checks
• Shared encryption keys across PLC models
• Poor isolation between operating systems
• Text sections with write permissions

The attacks allow persistent malware installation that can:

• Survive reboots
• Establish remote command & control
• Modify PLC behavior
• Remain undetected

Recommended mitigations:

• Implement secure boot chain
• Add proper code signing
• Enforce strict OS isolation
• Use ASLR
• Protect text sections
• Remove ability to directly modify firmware

Research impact shows modern PLCs are increasingly vulnerable despite security improvements made after Stuxnet, with potentially severe implications for critical infrastructure