The contentious issue of responsible and coordinated vulnerability disclosure has been revisited again as security researcher Billy Rios reacted to a statement made by Siemens claiming that “there are no open issues regarding authentication bypass bugs at Siemens.”
“In May of this year, I reported an authentication bypass for Siemens SIMATIC systems,” he wrote. “These systems are used to manage Industrial Control Systems and Critical Infrastructure. I’ve been patiently waiting for a fix for the issue which affects pretty much every Siemens SIMATIC customer.”
And then he was forwarded the aforementioned statement made by the company’s PR, which he considers a downright lie that implies that his effort and findings are incorrect and easily dismissible.
So, he proceeded to explain in great detail the authentication bypass bug he reported in May, which revealed extremely poor design decisions that can result in attackers to gain remote access to control systems managed by Siemens SIMATIC systems without them knowing the username or password.
“Next time, Siemens should think twice before lying to the press about security bugs that could affect the critical infrastructure-Â¦.to everyone else, Merry Christmas,” he concluded.