HTML5 in the Wild: Transforming OT Interfaces but Opening New Risks

Introduction

Welcome to the 20th installment of "OT Hunt” where we dive into the challenges and opportunities within the realm of ICS/OT devices connected to the internet. This series aims to raise awareness among asset owners and ICS vendors to proactively secure their infrastructures.

The Topic at Hand

This exploration came about by chance. I was researching SpiderControl, an OT vendor, as part of my usual work on ICSRank. According to their product page, the SpiderControl Easy Web-HMI uses HTML5 to develop HMIs directly on PLCs such as Siemens, Beckhoff, and Raspberry Pi, without additional runtime or hardware requirements. Here’s a quick summary:

"The SpiderControl Easy Web-HMI allows users to build and deploy HTML5-based HMIs directly on various PLCs. It supports SCADA integration, remote PLC management via OPC UA and ADS protocols, and allows retrofitting legacy systems by converting outdated interfaces to HTML5."

The platform supports multiple vendors including:

• Baumüller, Beckhoff, Bosch Rexroth, CODESYS compatible devices, Phoenix Contact, Phytec, Raspberry Pi, Siemens, Wago 【source】.

They offer HMI editors that generate HTML5-based web interfaces, which eliminates the need for older, now-deprecated Java applets. However, I noticed that some SpiderControl interfaces still use applets, which generate browser errors, indicating they are still running “in the wild.”

This technology is moving toward cloud-based deployment, with SpiderControl's SCADA server available as a cloud app, Docker component, or in OT marketplaces like Phoenix PLCnext and Bosch ctrlX. This allows for remote monitoring and control of multiple PLCs from the cloud, demonstrating a shift in OT toward modern, flexible web technologies.

Finding SpiderControl Devices in the Wild

Using Shodan and ZoomEye, I searched for devices running SpiderControl.

• Shodan: SpiderControl → 100 results
• ZoomEye: spidercontrol +app:"Phoenix Contact httpd" → 2,800 results

A key observation was that most devices found through ZoomEye were deployed on Phoenix Contact PLCs, revealing the platform's popularity with that vendor.

Common Findings from SpiderControl Deployments

• Open ports: FTP, HTTP (80), SNMP (161), SSH
• SNMP banners: Revealed model information, firmware versions, and manufacturing details—helpful for attackers to determine vulnerabilities.
• Vulnerabilities: SpiderControl interfaces are known to have file upload vulnerabilities.
• QNAP cloud storage and Honeywell XLWeb controllers were also found running alongside SpiderControl devices.
• Issues detected:
• Unpatched or old jQuery libraries.
• Accessible default web interfaces.
• Use of outdated hardware like Huawei B2368-66 modems.

Risks of HTML5: HTML Smuggling and MITRE Technique T1027.006

SpiderControl’s shift to HTML5 comes with certain risks. One significant threat is HTML smuggling, classified under MITRE ATT&CK's T1027.006 as a Defense Evasion technique .

This technique involves injecting malicious JavaScript into HTML5 files, using elements such as:

<a download="malicious.zip" href="data:application/zip;base64,<base64_payload>">  
   Download the Safe Report  
</a>        

When a user clicks the link, it downloads a malicious payload (e.g., a ZIP or EXE). HTML smuggling is often used in QakBot and EnvyScout attacks to distribute malware, bypassing firewalls and antivirus tools through social engineering tactics【source】.

Detection Tip:

To verify if a web interface is using HTML5, open the page source and look for:

<!DOCTYPE html>        

Analysis: Modernizing OT Systems and the Trade-Offs

The shift to HTML5 is necessary to replace outdated technologies like Java applets, but it introduces new risks. While I haven’t encountered specific HTML smuggling incidents in OT environments, similar attacks have targeted banking systems using QakBot. This highlights the potential for exploitation if OT vendors do not configure their web-based systems securely .

Conclusion

As OT vendors adopt modern technologies like HTML5, they must remain vigilant. HTML5's flexibility makes it a powerful tool, but it also expands the attack surface. For asset owners and vendors alike, ICSRank is here to help you discover, assess, and secure your ICS/OT systems.

Stay tuned for more insights in future OT Hunt installments. Our shared vigilance is essential in defending critical infrastructure from evolving cyber threats.