Digital Bond

Backdoor In Equipment Used For Traffic Control, Railways Called “Huge Risk”

UPDATE: Security researchers are warning about the risk posed by an embarrassing security hole in industrial control software by the firm RuggedCom. A hidden administrative account could give remote attackers easy access to critical equipment that is used to manage a wide range of critical infrastructure, including rail lines, traffic control systems and electrical substations.

UPDATE: Project Basecamp, a volunteer effort to expose security holes in industrial control system software, unveiled new modules on Thursday to exploit holes in common programmable logic controllers (PLCs). The new exploits, which are being submitted to the Metasploit open platform, include one that carries out a Stuxnet-type attack on programmable logic controllers made by the firm Schneider Electric, according to information provided to Threatpost by Digital Bond, a private consulting firm that has sponsored the effort.

Security researchers made good on a promise to release new exploits for programmable logic controllers (PLCs). The exploits include one targeting a flaw in the implementation of the EtherNet/IP (Industrial Protocol) used in many IP-enabled PLCs. The security hole, if left unaddressed, could enable a remote attacker to crash or unexpectedly reboot the devices, which are critical components of almost every industrial – and critical infrastructure installation.

The fallout from last month’s S4 Conference continues in February, with a planned Valentine’s Day release of tools that make it easy to test and exploit vulnerable programmable logic controllers and other industrial control systems. Among the releases will be a tool for cracking passwords on the common ECOM programmable logic controllers by Koyo Electronics, a Japanese firm, according to a blog post by Reid Wightman for Digital Bond.

VIEW SLIDESHOW Scenes from S4 2012S4 is a conference hosted by Digital Bond, a security consulting firm based in Sunrise, Florida. Now in its fifth year, the S4 draws some of the world’s top experts in securing industrial control systems to sunny Miami Beach to discuss the state of the art.

Miami, Florida – A no-holds barred presentation at the S4 Conference laid bare the woeful state of security for many industrial control systems that power the world’s critical infrastructure. Organizers have also cooperated with security scanning firms Rapid7 and Tenable to release modules for the Metasploit and Nessus products that can test for the discovered security holes.

To hear many of the leading computer security experts, Tuesday, October 18 was “D-Day,” with the “D” standing for “Duqu,” a new piece of malware that virus experts were tripping over each other to call “Stuxnet 2.0.” “Stuxnet Clone ‘Duqu’ Possibly Preparing Power Plant Attacks” read a headline on the Website of Foxnews, summing up the air of hysteria surrounding the new malware. But less than a day later, questions are being raised about the purpose and threat posed by the new malware.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.