Insecure SCPI interface discloses web password in Siglent SDS 1104X-E Oscilliscope
Date: December 2022
Discoverer: Bret McDanel
At least SDS1xx4X-E_V6.1.37R9.ADS, and possibly earlier. Reportedly fixed May 2023. It is unknown if other devices have a similar flaw as they were unavailable to the researcher at the time research was performed.
The SIGLENT SDS1000X-E is a two and four channel oscilloscope. Controlling the various features is an embedded system running Linux. The oscilloscope has an ethernet port and optional USB wifi.
Standard Commands for Programmable Instruments (SCPI) is a standard for syntax and commands to use in controlling programmable test and measurement devices. -- Source Wikipedia
https://siglent.com
https://en.wikipedia.org/wiki/Standard_Commands_for_Programmable_Instruments
- SCPI Ports: 5024 (tcp), 5025 (tcp)
- Web Port: 80 (tcp)
The SCPI processes bind to two different network ports, 5024 and 5025. Neither require authentication. An undocumented and non-standard SCPI command was discovered via reverse analysis of the firmware binaries. This command allows both revealing the current password and changing the password.
Further, a php script exists in the embedded webserver at /device_read_write.php. No authentication is present and the script processes SCPI commands.
echo 'WEB:PSW?' | nc 192.168.1.42 5025
echo 'WEB:PSW newpassword' | nc 192.168.1.42 5025
It is advised to upgrade to the current version of firmware. Further, IoT devices, such as oscilloscopes, should be placed on a segregated network and access to the affected ports be blocked from untrusted hosts.