Industrial control system vendor Koyo moved to fix vulnerabilities in its ECOM brand programmable logic controllers (PLCs) after researchers, in January, revealed that the devices were vulnerable to brute force password guessing attacks.
The Department of Homeland Security’s ICS (Industrial Control System) CERT issued an advisory on Wednesday saying that the company issued a patch for affected ECOM modules that disables a vulnerable Web server and adds a “timeout” feature to prevent brute force attacks on the device password. A copy of the updated firmware is available here.
Koyo was one of a number of SCADA and ICS vendors whose products were targeted by researchers as part of Project Basecamp, a volunteer effort to expose rampant product insecurity in the ICS sector. The results of the first round of tests were unveiled at the S4 Conference in Miami in January.
Researcher Reid Wightman, an ICS security consultant who works for the consulting firm Digital Bond, showed attendees at S4 that the Koyo DirectLogic PLC used a weak, 8 byte password and had no password timeout to protect against brute force login attempts. Wightman also observed that Koyo’s integrated Web server lacked any authentication protections at all, meaning that any user who could access the DirectLogic PLC could access the integrated Web server, modifying the IP address of the device, changing e-mail alert settings and so on.
The company’s patch fixes a buffer overflow vulnerability in the ECOM products that was also identified by researchers, but it does not add Web server authentication, or mandate longer, stronger passwords, according to the ICS-CERT alert.
Researchers working for Project Basecamp said such sloppy security features are all too common in the ICS world, where vendors assume that SCADA and ICS systems are not reachable from the public Internet. Increasingly, that thinking is being proven wrong.
Writing on the Digital Bond blog, Wightman said that Koyo was notable for actually addressing the holes disclosed by researchers in January. Other vendors, including General Electric and Schneider have not yet patched a series of critical security holes researchers discovered in the D20 and Quantum model PLCs.
ICS vendors need to rethink the security implications of features such as embedded Web management interfaces, he said.
“I’ve said it before, but I’ll say it again: webservers (sp) on embedded products are a big ‘dumb’. Without very careful careful development, it’s just too easy to make your own bugs.”
He also said the patch is proof that the tough love approach taken by Project Basecamp has worked.
“For all of the full disclosure naysayers, it is notable that vulnerabilities in the Koyo webserver (sp) were first disclosed at S4 in 2009 by Digital Bond alum Daniel Peck. Holding a vendor’s feet to the fire certainly seems to have paid off in this case.”
Project Basecamp researchers continue their work. A release in February included the disclosure of vulnerabilities in
PLCs by Rockwell Automation, Schneider, WAGO, Omron and others. Those included hard coded administrative passwords in some versions of the Modicon Quantum PLC by Schneider Electric. That release included information on Koyo DirectLogic PLCs that were found to be vulnerable to brute force password attacks because they lack a password lockout feature. In April, the Project published three new modules to the Metasploit framework that could be used to test ICS systems. They include a Stuxnet-type attack on programmable logic controllers made by the firm Schneider Electric, Threatpost reported.