Hard-coded credentials are a longstanding security no-no, but they’re also an ever-present reality because of developers and IT managers who require remote access to networks and systems for troubleshooting purposes.
The level of risk in such cases depends on the system in question. But one thing is sure: researchers and hackers are looking for these built-in passwords and they’re getting easier to find.
The Industrial Control System Cyber Emergency Response Team (ICS-CERT) last week released an advisory warning of a vulnerability in all versions of the TURCK BL20 and BL67 Programmable Gateways that could allow an attacker to find the device’s hard-coded password and remotely own one of these devices. TURCK, a German company, said the devices are widely deployed in a number of manufacturing industries, as well as the agriculture and food industries, mainly in the United States and Europe.
TURCK released a firmware update last week that removes a hard-coded credential that was previously reachable via a built-in FTP server.
Successful exploitation could allow an attacker to impede processes or shut them down by interfering with communication between remote I/O, PLCs or DCS systems. The gateway products, according to the advisory, provide communication between the communications bus and I/O modules.
The advisory said that an attacker with low skill would be able to exploit the vulnerability and that no public exploits were available. IOActive researcher Ruben Santamarta, who has previously researched this issue in other equipment, found the vulnerability.
“All you have to do is download device firmware from the vendor’s website. Once you download the firmware, you can reverse engineer it and learn some interesting secrets,” he wrote in a blogpost yesterday. Santamarta called the hard-coded credentials and built-in FTP server a dangerous combination.
Santamarta said that anyone with knowledge of common IT/embedded syntax could find the credentials by running the strings command on the firmware file.
“There is a drawback to this basic approach. Firmware usually contains thousands of strings and it can take a lot of time to sift through them,” Santamarta said. “It can be much more time consuming than simply loading the firmware in IDA, reconstructing symbols, and finding the ‘interesting’ functions.”
Santamarta used a tool under development called Stringfighter to automate and simplify the process, and search for isolated, out of context strings that are not related to other elements near it that could be a hard-coded credentials. The tool can easily find strings of data that are out of context, but many of those could be false positives, Santamarta said. The challenge was to identify additional blocks of related strings and tie them together in order to analyze them.
“We need a large dictionary of English (or any other language) words to build a transition matrix. We also need a black list to eliminate common patterns. We also want to avoid the false positives produced by symbols. To do this we detect symbols heuristically and ‘normalize’ them by summing the entropy for each of its tokens rather than the symbol as a whole,” Santamarta said. “These features help us distinguish strings that look like natural language words or something more interesting … such as undocumented passwords.”
Santamarta said he has tested the tool against a number of ICS firmware and successfully found backdoors.
With management interfaces for many ICS and SCADA devices reachable over the Internet and searchable via Shodan and other search engines, this likely won’t be the last hard-coded password to be discovered.