Siemens Beresford Backdoor Explored
I thought it would be worthwhile to explore the Beresford backdoor. I recently picked up an old S7 Ethernet module and wanted to see if it contained anything similar.
To do this analysis, I grabbed a few firmwares from Siemens’ download site. It’s easy enough to do. Searching for any of their CPU names on Google will give you their product home page, which includes links to firmware downloads. For example, the CPU 317 with Ethernet the Dillon worked on is here. Note that their firmware update page never even mentions the word, “Security,” it simply says “Addressing the Web server after a firmware update no longer causes Defect Z1:8000.,” Wow. Informative.
Anyway, I ripped the ROM out of my own Ethernet card for comparison. No special tools are required to get Siemens’ downloaded firmware, but reading the ROM from my Ethernet card requires a Flash programmer with a socket adapter (roughly $150 in parts), as well as the Ethernet module itself ($200 on eBay).