UPDATE: Security researchers are warning about the risk posed by an embarrassing security hole in industrial control software by the firm RuggedCom. A hidden administrative account could give remote attackers easy access to critical equipment that is used to manage a wide range of critical infrastructure, including rail lines, traffic control systems and electrical substations.
The undocumented backdoor account was first revealed on Monday in a post to the Full-disclosure security discussion list by a user with the initials “JC.” The account uses the login name “factory” and a dynamically generated password that is based on the device’s machine address – or MAC, according to the post.
A Ruggedcom spokesperson said the company was working on a response, but could not immediately comment on the post.
The details of the vulnerability could not be independently confirmed and RuggedCom did not immediately respond to a request for comment from Threatpost. However, the use of hard coded account credentials is common in the industrial control space, where remote, administrative access to devices that are deployed in the field has long been a priority for vendors and customers, alike.
The post’s author, “JC” was not able to immediately comment on the details of his post. He was identified as is Justin W. Clarke, an independent security researcher based in San Francisco according to Digital Bond blog, a source for information on security issues in SCADA and industrial control systems.
In a conversation with Threatpost, Clarke said that he has worked for a decade as an IT and security specialist in the electrical sector and became familiar with Ruggedcom equipment. His past employers include California utility Pacific Gas & Electric, according to information available online. He said he began researching the Ruggedcom platform a year ago after hearing about other independent researchers working on SCADA and ICS devices. He purchased three Ruggedcom devices, including RS400 and RS900 models with his own money on eBay and obtained a copy of the company’s firmware, which he was able to reverse engineer. Developer comments hidden in the firmware revealed references to the “factory” account. Further research revealed the code for generating the password.
In his post, Clarke said that he had made “multiple attempts” to have Ruggedcom remove the back door account and notify customers of its existence. Ruggedcom was first notified in April, 2011 and acknowledged the existence of the account in July, 2011 and requested more time to notify customers on April 10, but did not indicate that the company would close the backdoor account.
Clarke told Threatpost in a phone interview that initial conversations with staff at Ruggedcom left him hopeful that the vendor would address the security hole, but that the company “went dark” shortly after he revealed his findings to them. “I believed that magic was going to happen. I told them they had a back door. Now that they know its there, they’re going to fix it.”
After putting the Ruggedcom research aside for a few months, and with no response from the vendor Clarke finally took his findings to US-CERT. The Department of Homeland Security’s (DHS’s) US-CERT was notified in February, 2012. On Tuesday, it issued a warning about hard-coded account.
“An attacker who successfully guesses the password may be able to gain complete administrative control of the ROS device.”
The notice said that RuggedCom has recommended disabling the RSH service and setting the number of Telnet connections allowed to 0 – disabling remote administrative access to the device.
In a blog post on Tuesday, Dale Peterson of Digital Bond described Ruggedcom as the “Cisco of network infrastructure equipment” – a networking equipment vendor who specializes in “rugged” gear that can be deployed in locations that are exposed to the elements or extreme conditions. The backdoor account is “a huge risk,” Peterson wrote.
Clarke provided a simple script that will generate a valid password, given the MAC address of the device. An attacker who knew the IP address of a Ruggedcom router or switch could collect the MAC address and generate a password to access the device.
“This has a widespread impact for both security and regulatory concerns,” Peterson wrote in an e-mail. Ruggedcom equipment often forms the backbone of SCADA and DCS (distributed control system) networks and provides perimeter protections that shield more sensitive industrial control devices from outside attacks. “Take them out and you have loss of control, loss of view,” he wrote.
Ruggedcom’s customers are also in a tight spot with regulators, Peterson notes.
“Utilities are required to change all default accounts and credentials. If they can’t, they have to file a technical feasibility exception (TFE). They will at least need to do that, and it is questionable that they may have to self report a violation they have had for years,” he said.
Siemens purchased Ruggedcom in January, 2012. Ironically, that company also ran afoul of the security when it was revealed that the Stuxnet worm took advantage of a hard coded administrative password in its WinCC SCADA control software to spread. Despite that, Siemens cautioned customers against changing the default password for the account, saying it could render the company’s PLCs inoperative.
Subsequent stories make it clear that the use of such hidden accounts is common in the industrial control sector. Researcher Dillon Beresford presented evidence of a the use of hard coded administrative passwords in Siemens products in Siemens products at the Black Hat Briefings in Las Vegas in August. The breach of systems managing a municipal water district in Texas in November was also linked to an easy-to-crack, default three character password that was used to secure Siemens Simatic HMI software.
However, Peterson of DigitalBond said it was rare for networking equipment vendors to rely on such features to manage their products.
“I’m baffled,” he told Threatpost. “I have a high opinion of this company – they have a good reputation”
*Homepage Creative Commons image via hdport’s Flickr photostream