The fallout from last month’s S4 Conference continues in February, with a planned Valentine’s Day release of tools that make it easy to test and exploit vulnerable programmable logic controllers and other industrial control systems. Among the releases will be a tool for cracking passwords on the common ECOM programmable logic controllers by Koyo Electronics, a Japanese firm, according to a blog post by Reid Wightman for Digital Bond.
Writing on Wednesday, Wightman said that a Valentine’s Day release would include a ‘module to brute-force’ passwords for Koyo’s ECOM and ECOM100 PLCs. Researchers revealed that those devices have limited password space (forcing customers to implement short, weak passwords) and, even worse, no lockout or timeout feature to prevent multiple login attempts used in brute force attacks.
The Koyo ECOM models were among a number of popular brands of PLCs that were analyzed by leading SCADA security researchers as part of Project Basecamp. Their work revealed significant security issues with every system they tested, with some PLCs too brittle and insecure to even tolerate security scans and probing.
The Koyo ECOM100 modules were found to come with a bundled Web server that contained denial of service and cross site scripting vulnerabilities and an administrative panel that could be accessed without authentication.
Organizers have already released two modules for the Metasploit and Nessus vulnerability testing tools that can search for vulnerabilities discovered in D20 PLCs made by GE and promised more in February. The Koyo tool will be part of that promised release.
By marrying their vulnerability research to popular (and free) testing tools, the researchers hope to turn up the heat on vendors who, they claim, have created vulnerable, buggy products and then turned a deaf ear to complaints from independent security researchers and customers.
SCADA expert Ralph Langner and others have argued that the vulnerabilities could not have been unknown to vendors, because they are often simply the product of insecure design decisions made and continued for years.
During the S4 Conference in January, Wightman called the results of the Basecamp tests “shameful.”
The brute force password tool for the Koyo PLC will allow customers and consultants to test whether installed devices can have their password hacked. However, it may also make the products easier to manage, he said. Documentation on the ECOM PLC suggests that lost passwords can’t be reset in the field. Instead, the user must send the device in to the manufacturer to have it reset.
