Industrial control systems are rife with security issues, not the least of which is the use of hard-coded credentials. In order to minimize downtime, developers and administrators build in passwords to expedite remote troubleshooting in the event of a system crash or failure.

Problems arise when an attacker finds these credentials and the practice becomes tantamount to coding in a backdoor to the device in question.

A security researcher reported this week the discovery of hard-coded credentials in well-known ICS device firmware used to connect to the device vendor’s FTP server. Sofiane Talmat of security consultancy IOActive would not reveal the device in question to Threatpost, but said he is working on a process for remediation and disclosure with the vendor.

“I am not allowed to disclose the vendor name right now as the vulnerability is not yet publicly disclosed and unpatched and there is sensitive information on the FTP server,” Talmat said.

Talmat said he came across a script that tests connectivity transmitted in the clear from the firmware that included the FTP host name, user name and password, in addition to the file name being transferred to the vendor.  The script is designed to ping the host and then connects to an internal FTP server to download a test file and upload the results. Conspiring to make a bad situation worse, in addition to the hard-coded in-the-clear credential, the upload inserts the device serial number into the file name, Talmat said. While this facilitates the use of a unique identifier for each file, Talmat said, it also facilitates the attacker accessing any device by its serial number.

“These device serial numbers are also used by the vendor to generate default admin passwords,” he wrote on the company’s blog. “This knowledge and strategy could allow an attacker to build a database of admin passwords for all of this vendor’s devices.”

Talmat said this is the first time he’s seen serial numbers used to generate admin passwords for different devices. But this isn’t the first time he’s seen a device ID or serial number used as a naming convention for an industrial device.

Digging further, Talmat found issues with another script connecting to the same vendor’s FTP server that uses anonymous access to upload statistics used for debugging from each device. Similarly, the .zip file sent from the device to the FTP server includes the device serial number; the script also prompts the user to add the company name to the file name.

“An attacker with this information can easily build a database of admin passwords linked to the company that owns the device,” Talmat said.

A third problematic script was discovered; this one however allows only write-access to the FTP server and sends device configuration information. Talmat said the server is running an older version of the FTP service which is also vulnerable to public exploits.

“I need to check, but I am sure it’s an old version since the vulnerability was disclosed publicly five or six years before,” he said.

A similar issue was recently patched by TURCK, a German ICS vendor whose devices are deployed in manufacturing, agriculture and food services in the United States and Europe. An alert from the Industrial Control System Cyber Emergency Response Team (ICS-CERT) warned of a vulnerability in TURCK BL20 and BL67 Programmable Gateways that included hard-coded credentials reachable via a FTP server.

The flaw was also discovered by an IOActive researcher, Ruben Santamarta, who said that anyone with an understanding of embedded syntax could find the credentials by running the strings command on the firmware file. He did qualify that this can be time consuming because there are potentially thousands of strings in firmware. An IOActive tool called Stringfighter automates the process by searching for strings that are out of context to elements near it and could be hard-coded credentials.

Categories: Critical Infrastructure