Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Backdoor In RuggedOS Systems: Infrastructure, Military Systems Vulnerable

Unknown Lamer posted more than 2 years ago | from the steal-me-up-some-electricity dept.

Canada 154

FhnuZoag writes "A backdoor has been found in Canadian based RuggedCom's 'Rugged Operating System', providing easy access to anyone with the devices's MAC address — something often publically displayed. Rugged OS is being used in a wide range of applications, including traffic control, power generation, and even U.S. Navy bases. The backdoor was first found over a year ago, and RuggedCom have so far refused to patch out the exploit." The exploit is trivial: each device has a permanent "factory" user, and an automatically generated password derived from the MAC.

cancel ×

154 comments

Sorry! There are no comments related to the filter you selected.

Nothing is 100% secure. (0)

sandytaru (1158959) | more than 2 years ago | (#39795589)

Nothing. At. All.

Re:Nothing is 100% secure. (5, Funny)

LordAndrewSama (1216602) | more than 2 years ago | (#39795631)

There's a difference between "Nothing is 100% secure" and "Why yes sir, I will lay out the welcoming mat for you".

Re:Nothing is 100% secure. (1)

Pharmboy (216950) | more than 2 years ago | (#39795677)

You are correct. The issue isn't how easy it is to exploit, but rather how easy it would have been to not have this "feature", and the failure to address it.

Re:Nothing is 100% secure. (5, Funny)

ColdWetDog (752185) | more than 2 years ago | (#39795759)

Never play cards with a man called Doc. Never eat at a place called Mom's. Never sleep with a woman whose troubles are worse than your own.

Never trust an OS with the 'Rugged' in it's name.

Re:Nothing is 100% secure. (5, Informative)

yoyoq (1056216) | more than 2 years ago | (#39796035)

never get involved in a land war in Asia Never go against a Sicilian when death is on the line

Re:Nothing is 100% secure. (0)

Anonymous Coward | more than 2 years ago | (#39796321)

Never drink with a russian.

Re:Nothing is 100% secure. (3, Insightful)

splatter (39844) | more than 2 years ago | (#39796661)

Never bet on a pool game against anyone named after a state.

Re:Nothing is 100% secure. (0)

Anonymous Coward | more than 2 years ago | (#39796997)

Never play cards with dwarfs or elves.

Re:Nothing is 100% secure. (5, Insightful)

H0p313ss (811249) | more than 2 years ago | (#39797069)

Never get involved in a software project where the team leader says either "agile" or "scrum" in every second sentence.

Re:Nothing is 100% secure. (3, Funny)

cayenne8 (626475) | more than 2 years ago | (#39796647)

never get involved in a land war in Asia Never go against a Sicilian when death is on the line

Hmmm....I happen to have some iocane here....care to partake in a battle of wits?

:)

Re:Nothing is 100% secure. (4, Insightful)

cpu6502 (1960974) | more than 2 years ago | (#39796027)

>>>the failure to address it.

I suppose this is why OSS advocates claim closed-source is bad? You can't fix the problem yourself, and if the company refuses to do it, then you're stuck.

Re:Nothing is 100% secure. (4, Informative)

Beardo the Bearded (321478) | more than 2 years ago | (#39796087)

Okay, this feature has its use. Let's say Beardo works for the city for 15 years and puts a password on all the light controllers. That's only sane, right? You don't want some asshole changing the light pattern so they get a green light every morning at 7:43 when they're on their way to work or disabling the first-responder receiver.

Let's also assume that Beardo got passed over for a raise AGAIN and decided, "okay, that's it, I'm leaving." Five years later they have to change the timing for some reason, let's say more traffic at the intersection or something, and Beardo is nowhere to be found. He's got a new job in Bermuda and you'll never hear from him again. (I actually did have a co-worker get a job in Bermuda and to this day I am unable to determine if he is alive or dead.)

Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

You've got to either find the password or send the unit back to the factory to get it reset to the blank factory default (automation direct will do this) People forget passwords. I'm sure once we switch to biometrics people will forget their thumbs or something.

HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of wetwork. Well, then I guess the exploit then becomes "anyone with $175 to buy a NRD-1298 from Rugged can run a Perl script". Even if there was a master password list in the factory then someone could break in or bribe their way into the system. Maybe this password should only work on a direct link like the serial port.

What I guess the company could have done is add the PO number or customer number to the MAC address and then use a more robust password generator to figure it out. I'm not entirely sure what they could do to make it a secure way of getting into your legitimately owned, but inadvertently locked, machine.

Hell, if you get two keys for a master-locked system you can narrow down the master key to one of 17 possibilities. We don't go around telling people that their doors aren't going to work.

Also, I hate to mention this, but I've said it before, the military uses weaponry to enforce their system security. If you're sitting on a rowboat with a parabolic dish, the frigate is going to shoot bullets at you.

Re:Nothing is 100% secure. (1)

Anonymous Coward | more than 2 years ago | (#39796201)

Nice over-architected solution. Sorry you took so long to type out such an insanely complex impossible to implement solution. Maybe RuggedCom has a job for you!

Alternate option: Simply make a bootrom option such that someone at the console during a power cycle can bypass the authentication. Cisco implemented this. It's not hard. No magic calculations, PO numbers, customer numbers.

http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml

Re:Nothing is 100% secure. (3, Insightful)

Beardo the Bearded (321478) | more than 2 years ago | (#39797337)

Right, which means anyone with a pair of overalls can change the light controller.

Re:Nothing is 100% secure. (4, Insightful)

gstoddart (321705) | more than 2 years ago | (#39796301)

I think you're giving them far too much credit.

A password generated using an externally visible attribute of the device is pure incompetence and making stupid decisions.

This isn't about Beardo going away and losing the password, it's about someone making one of those shockingly stupid decisions about convenience over security which leads to security through obscurity.

As TFS says, this is bordering on a trivial exploit since you can likely hack any and all devices running this OS merely by figuring out its MAC address.

What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.

Re:Nothing is 100% secure. (1)

Anonymous Coward | more than 2 years ago | (#39797139)

Yup, but it's /marketed/ as "mission critical".

Just saying that if you're /buying/ "mission critical" kit, then you're the moron for not having thorough standards it must meet, that includes a method of proving it does meet these.

This was outsourcing responsibility. This is buying a warranty, buying an insurance package you'll have to go to court to attempt to collect.

If you're outsourcing a "mission critical" aspect of your business, then you're not in that business. Then you're just a middleman.

"Case's primary insight into the dynamics of street dealing was that neither the buyer nor the seller really needed him. A middleman's business is to make himself a necessary evil. The dubious niche Case had carved for himself in the criminal ecology of Night City had beep cut out with lies, scooped out a night at a time with betrayal."

Re:Nothing is 100% secure. (1)

Anonymous Coward | more than 2 years ago | (#39797475)

What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.

Two guys, a pickup truck, and a box of grenades can do roughly a Billion dollars of damage an hour in the greater Houston area, just hand tossing from public highways. There's a lot of trust in the world...what's moronic is trusting that any kind of password lock access on a computer system is "secure" from the bad guys. If a password is typed in, a telephoto high def video camera can snag it from across the street or Beardo the Disgruntled can give it to a bad guy as a prank.

Yeah, o.k., the MAC address as password scheme is a little more lame than some and should be stopped, but don't think that ANY password based scheme is really secure from a determined attacker.

Re:Nothing is 100% secure. (1)

gstoddart (321705) | more than 2 years ago | (#39797777)

Two guys, a pickup truck, and a box of grenades can do roughly a Billion dollars of damage an hour in the greater Houston area

And here I thought that was a normal Friday night in Texas. ;-)

Re:Nothing is 100% secure. (1)

Yvan256 (722131) | more than 2 years ago | (#39796383)

I actually did have a co-worker get a job in Bermuda and to this day I am unable to determine if he is alive or dead.

Oh, he's not alive. He's not dead either. He went for a boat ride and he's just.... gone.

Re:Nothing is 100% secure. (2)

Jeremi (14640) | more than 2 years ago | (#39796811)

HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of network.

Or, you could do what every $35 Internet router in the history of Best Buy does: put a little 5-cent button on the back of the device that restores its default settings (or bypasses the password check, or whatever).

Re:Nothing is 100% secure. (2, Funny)

Anonymous Coward | more than 2 years ago | (#39796925)

Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

Why on earth would he set the password to 8675309? That's just silly.

Re:Nothing is 100% secure. (0)

Anonymous Coward | more than 2 years ago | (#39797127)

Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

Why on earth would he set the password to 8675309? That's just silly.

Probably for a good time.

Re:Nothing is 100% secure. (1)

Burning1 (204959) | more than 2 years ago | (#39797417)

That's all well and good... But maybe instead of using an back door account that is easily derived from the MAC address, they should have installed a public key?

Re:Nothing is 100% secure. (3, Informative)

Ihmhi (1206036) | more than 2 years ago | (#39797685)

wetwork

Is this some sort of computer security term? "Wetwork" is slang for "murder" in the espionage world.

Re:Nothing is 100% secure. (1)

Beardo the Bearded (321478) | more than 2 years ago | (#39797877)

Solder in a jumper or resistor.

Re:Nothing is 100% secure. (0)

Anonymous Coward | more than 2 years ago | (#39797945)

Never expect supporters of any organisation with the words "family" or "marriage" in its name to be anything less than bigoted, theocratic and idiotic cunts of the highest caliber.

Re:Nothing is 100% secure. (0)

Anonymous Coward | more than 2 years ago | (#39795859)

I would direct you to Less Wrong [lesswrong.com] on this particular logical fallacy.

Re:Nothing is 100% secure. (0)

Anonymous Coward | more than 2 years ago | (#39797021)

Excellent article. Someone also pointed to The Relativity of Wrong [tufts.edu] by Asimov which is worth reading.

Especially things with factory supplied backdoor (4, Insightful)

perpenso (1613749) | more than 2 years ago | (#39795889)

Nothing is 100% secure. Nothing. At. All.

Especially those things with a factory supplied backdoor. Regardless of the complexity of the password, regardless of how the marketing guys try to spin it as a "maintenance portal" or whatever they are calling it (assuming of course customers knew it was there), such a thing is essentially a backdoor.

Hopefully this was something that customers were aware of and something that customers could disable. Or more optimistically a debugging feature customers would have to enable for a session while in direct communication with the factory. Even so a hypothetically generate-able password is troubling.

Re:Nothing is 100% secure. (1)

roc97007 (608802) | more than 2 years ago | (#39797351)

Nothing. At. All.

Absolutely correct, but building in a back door with a password easily derived is almost, but not quite, entirely unlike security.

This makes me wonder how many other OS variants used in control systems have "factory" users built in.

...because you know damn good and well, if it's worth knowing, bad people will know it.

Re:Nothing is 100% secure. (1)

osu-neko (2604) | more than 2 years ago | (#39797361)

Cue the platitudes that could be generically posted into half the articles on /. without reference to the article supposedly being commented on.

Oh, I see you're way ahead of me. Carry on...

STUPID (2, Informative)

GameboyRMH (1153867) | more than 2 years ago | (#39795667)

Unchangeable default password = MEGAFAIL

Re:STUPID (1)

Thud457 (234763) | more than 2 years ago | (#39795817)

Rugged engineers are weenies!

Re:STUPID (0)

Anonymous Coward | more than 2 years ago | (#39796731)

No, your crisco switches are puny! They can not stand up to manly substation environments. /humor off

All jokes aside, the "weenies" didn't buy these things because they were secure. That was not part of the design. They bought them because an office switch would be destroyed the first time a breaker fires in the station.

That said, RuggedCom needs a buy a few clues, because clearly they don't have any.

Blame Canada (0)

Anonymous Coward | more than 2 years ago | (#39795679)

Or could it be those evil Chinese?

Whois JC CREW? (1)

Anonymous Coward | more than 2 years ago | (#39795683)

What's this JC CREW organization that supposedly discovered this backdoor? Is it a corporation? group of hackers? single individual? in the US? International?

i went to their site at www.jccrew.org and it's just a picture of a burned out car. I don't get it. This is huge, but I can't find anything about the research person or organization.

Re:Whois JC CREW? (4, Funny)

Beardo the Bearded (321478) | more than 2 years ago | (#39795795)

Their website had a default password, sorry, couldn't help myself.

Re:Whois JC CREW? (1)

Alioth (221270) | more than 2 years ago | (#39795805)

They are probably (rightly) paranoid that reporting security defects like this will make them liable for criminal prosecution, and would prefer to remain anonymous. It's not like it hasn't happened before.

Re:Whois JC CREW? (1)

michaelwigle (822387) | more than 2 years ago | (#39796779)

and would prefer to remain anonymous

I knew Anonymous had to be behind this! ;)

Re:Whois JC CREW? (1)

h4rr4r (612664) | more than 2 years ago | (#39795807)

They probably don't want to get sued.

Re:Whois JC CREW? (1)

Anonymous Coward | more than 2 years ago | (#39795941)

Straight from TFA:

> "[...]" said Justin W. Clarke, the author of the full-disclosure advisory who said he notified company officials of the backdoor 12 months ago.

Justin Clarke. JC.

Re:Whois JC CREW? (0)

Anonymous Coward | more than 2 years ago | (#39796047)

Wow. Hardcore internet detective work.

Re:Whois JC CREW? (0)

Anonymous Coward | more than 2 years ago | (#39797167)

his name was Justin Clarke... his name was Justin Clarke... his name was Justin Clarke...

Clothing company? (1)

Anonymous Coward | more than 2 years ago | (#39795961)

I think they sell clothing - JCrew has lots on their website. :-)

Re:Whois JC CREW? (1)

Ihmhi (1206036) | more than 2 years ago | (#39797721)

i went to their site at www.jccrew.org and it's just a picture of a burned out car. I don't get it.

Ah, well, that's a picture of what used to be a vehicle full of hacking equipment and anabolic steroids that subsequently blew up for no good reason.

PCI-DSS and others (5, Interesting)

Alioth (221270) | more than 2 years ago | (#39795785)

Using this device would mean you would fail PCI-DSS and probably a few other widely used standards (ISO-27001 for example). One of the first requirements in these standards is that default vendor passwords be changed. You can't change it or even disable it.

Re:PCI-DSS and others (4, Interesting)

h4rr4r (612664) | more than 2 years ago | (#39795837)

From what I have seen, the PCI audit company would pass you anyway or the company would find another that would pass them. This is the main problem with PCI. As the entity that is being certified pays for the service they choose an auditor that will pass them. The correct way to do it would be if the industry paid for this service.

Re:PCI-DSS and others (0)

Anonymous Coward | more than 2 years ago | (#39796107)

Perhaps, but it's better to revoke the rights to certify of the company, shut them down, and blacklist the CEO from payment processing or related work.

When you have a professional engineer screw up, that's how they do it. But the banking isn't really regulated much, so this shit goes on forever.

Re:PCI-DSS and others (1)

Guppy06 (410832) | more than 2 years ago | (#39796803)

The correct way to do it would be if the industry paid for this service.

Which "industry?" The industry of the auditor? The industry of the auditee? The industry of the equipment manufacturer?

You're leaving the realm of "standards" and "fees" and entering the realm of "regulations" and "taxes."

Re:PCI-DSS and others (1)

h4rr4r (612664) | more than 2 years ago | (#39797043)

The credit card industry itself. Meaning that to get to PCI compliance certified you and all others who are certified would pay into a pool that pays the auditors to audit, with randomly assigned auditors and the same payment pass or fail. These auditors would then take some sort of financial risk if you were to fail a future audit.

Re:PCI-DSS and others (1)

TheMathemagician (2515102) | more than 2 years ago | (#39795977)

Their failure to patch this in a year - or even enter into any meaningful dialogue - is indicative of a company with no effective management. Is it wrong to hope some script kiddies now run riot and permanently damage the brand. Probably but meh.

Re:PCI-DSS and others (0)

Anonymous Coward | more than 2 years ago | (#39797177)

<paranoid conspiracy theory>It would also be indicative of a company in the pay of a foreign intelligence agency. You're Welcome.</paranoid conspiracy theory>

Re:PCI-DSS and others (0)

Anonymous Coward | more than 2 years ago | (#39795995)

Maybe it was a hidden 'feature' ?

Re:PCI-DSS and others (1)

X0563511 (793323) | more than 2 years ago | (#39796309)

Ah, but it's not a "default vendor password". It's machine generated, and is unique per device.

I've seen plenty of devices with generated root passwords be certified, and even when they were audited by bloodhounds sent in by an irritable customer. If those passed, well, so would this.

.. Too easy. (0)

Anonymous Coward | more than 2 years ago | (#39795815)

This whole post sounds like a setup for a classic GNNA troll. Rugged military backdoors? Are you kidding me?

Well, maybe it will be fixed (1)

PPH (736903) | more than 2 years ago | (#39795831)

RuggedCom have so far refused to patch out the exploit.

Perhaps when Siemens [cleanbreak.ca] moves in new management, the problem will be fixed. After having the egg of Stuxnet on their face, they might be a bit more proactive about these sorts of things.

Re:Well, maybe it will be fixed (0)

Anonymous Coward | more than 2 years ago | (#39796077)

Perhaps when Siemens [cleanbreak.ca] moves development to Asia,

Fixed that for you.

Re:Well, maybe it will be fixed (1)

whoever57 (658626) | more than 2 years ago | (#39796977)

Perhaps when Siemens moves in new management, the problem will be fixed. After having the egg of Stuxnet on their face

What makes you think there was any failure? Stuxnet was a success. How do you know that Siemens were not complicit in the creation of Stuxnet?

Re:Well, maybe it will be fixed (1)

ColdWetDog (752185) | more than 2 years ago | (#39797605)

Exactly. Siemens might well be next up for the Nobel Peace Prize. They stopped (or at least deferred) Nuclear Armageddon.

Just remember that when you're developing your new super secure application or device....

Just who's side are you really on, anyway?

Re:Well, maybe it will be fixed (1)

Albanach (527650) | more than 2 years ago | (#39797447)

I have to wonder about the Siemens issue here. Sounds like this could rapidly move into the hands of lawyers unless the CERT communications were disclosed during the transaction.

RuggedCom's management held $55.8 million (CAD) worth of stock, so pocketed handsomely from this takeover. Would RuggedCom still be worth $33/share this morning?

not an exploit (0)

CosaNostra Pizza Inc (1299163) | more than 2 years ago | (#39795851)

Its a feature...not an exploit.

exploit (5, Insightful)

vlm (69642) | more than 2 years ago | (#39795869)

Looks like to exploit this, you need the MAC addrs.
1) One way is to be on the same LAN segment and watch a sniffer. This means you're already dead because you've lost physical security.
2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?
3) If you manage to somehow own a plain ole PC on a scada network, now you can own embedded control devices. But having an owned PC on your network means you're dead anyway.

I'm still struggling to figure out how a live, well run network could be in danger. What I mean is to implement this exploit takes a system that is already more screwed up than anything you could do with the exploit.

Re:exploit (1)

Hentes (2461350) | more than 2 years ago | (#39795925)

A MAC adress is only 6 bytes which is easy to bruteforce.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39796015)

its 48 bits, this is 2^48 = 281,474,976,710,656 addresses to brute force sir.
although yup, if you know the manufacturer of the devices you can narrow it down a bit, and also i think they may have some sort of detection for unusual network traffic, but still.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39796069)

Even at 6 bytes there are still 281,474,976,710,656 choices. I wouldn't call that easy.

Re:exploit (3, Informative)

X0563511 (793323) | more than 2 years ago | (#39796327)

Cain and Abel can do an ARP sweep for every possible MAC on a 10mbps link in a handful of minutes.

That number isn't as large as you think it is.

Re:exploit (5, Informative)

idontgno (624372) | more than 2 years ago | (#39796071)

It really isn't 6 bytes either. Since RuggedCom has two registered MAC OUIs [ieee.org] (grep for "RuggedCom"), it's only 24 bits to brute-force over two possible 3-byte manufacturer prefixes.

Yeah. Fail-flavored failure-stuffed failure topped with fail gravy.

Re:exploit (1)

vlm (69642) | more than 2 years ago | (#39797755)

Or in other words 25 bits. This will unfortunately not stop marketing-math from claiming 24 bit space + another 24 bit space = 48 bits.

This easy violation of #1 above Still requires epic fail of #2 and/or #3 above to be applied, and if you have failed #2 or #3 you don't need to brute force anyway.

Because you need telnet access to haxor the thing, and the telnet MOTD supposedly tells you the MAC, I have absolutely no idea why you'd brute force the thing instead of just a simple expect script and a regex on the resulting log. Look there's the mac right there. No need to check the other 2**25-1 macs.

Re:exploit (4, Insightful)

Zocalo (252965) | more than 2 years ago | (#39796133)

Also, don't forget that the first couple of those bytes are specific to a vendor, and in RuggedCom's case those would be "000ADC". So that leaves only 2^24 possible MACs from which to generate passwords to try, a search space which could then be further reduced by the need to be able to actually type the password in.

Barring rate limiting, or other protection mechanisms (unlikely on a SCADA device) I'd estimate that a brute force attack on a 100mb/s link is going to be done and dusted in a matter of minutes rather than hours or days.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39795959)

> I'm still struggling to figure out how a live, well run network could be in danger.

If the network were managed by software made by the same people who, I dunno, use unchangeable vendor passwords?

Re:exploit (5, Insightful)

Guppy06 (410832) | more than 2 years ago | (#39795963)

4) brute force the password, knowing that only 3 bytes are unique to the device.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39795965)

As can clearly be seen in the article, the telnet server on the box helpfully hands you the MAC address before even asking for your username.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39795983)

It boils down to practicing defense in depth. Just because you have a hard crunchy outside does not justify having a soft chewy inner core full of backdoors and default passwords.

The MAC address is exposed through the web interface as well.

Re:exploit (1)

h4rr4r (612664) | more than 2 years ago | (#39796079)

1. is pretty easy to do. I walk into your office with a clipboard. I unplug an unused PC and away I go. If need be I clone that PCs network address. How many places actually encrypt their wired network?

Re:exploit (1)

ColdWetDog (752185) | more than 2 years ago | (#39797703)

1. is pretty easy to do. I walk into your office with a clipboard. I unplug an unused PC and away I go. If need be I clone that PCs network address. How many places actually encrypt their wired network?

I walk up to you, don't recognize you as an employee so I figure you're a tech from one of our vendors. I start hinting around for toys and freebies.

Boy, you'd better be able to deliver or you're in a heap of trouble.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39796207)

You don't see a problem with an unchangeable factory default password on every network-enabled embedded device that uses this operating system?

That's very interesting. What other standard safety measures do you find useless? Have you short circuited all the circuit breakers in your house? Remove the safety railing next to your stairs? Cut the seat belts out of your car? Thrown away the life jackets on your boat?

Re:exploit (1)

networkBoy (774728) | more than 2 years ago | (#39796869)

That's very interesting. What other standard safety measures do you find useless? Have you short circuited all the circuit breakers in your house? Remove the safety railing next to your stairs? Cut the seat belts out of your car? Thrown away the life jackets on your boat?

yes, yes, no (it never came with them), and I wish I had a boat...
(kidding of course, it is absurd how people rely on one thing to protect them and assume it will never fail.)

Re:exploit (1)

vlm (69642) | more than 2 years ago | (#39797797)

This reminds me of the periodic epic haxor discovery that if you have physical access to a cisco router and know the "config register hack" then you can pown any router. Its one of those "duh" moments where if you don't have physical security, then you have no security at all.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39798045)

You don't have a clue how networks work, do you?

Re:exploit (2)

tlhIngan (30335) | more than 2 years ago | (#39796797)

2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?

From TFA - the MAC is displayed in the MOTD.

As for telnet - you don't need telnet through the firewall. You just need something on the other side of the firewall, like say, an infected computer. Which is good because most IDS's won't track traffic on the internal link (they can't unless they monitor the enitre network).

And having an owned PC on the network is easier if you don't need root priviledges. For this hack, you only need the same level of access that a secretary has - telnet is easily done with socket calls that don't require priviledges after all. If you need admin/root, it's a lot harder, but just getting someone to run a random file - much easier. Heck, I'm sure with a bit of careful crafting, you might even be able to do it with Javascript on a web page and faking same-origin using DNS tricks.

Re:exploit (0)

Anonymous Coward | more than 2 years ago | (#39797239)

1) One way is to be on the same LAN segment and watch a sniffer. This means you're already dead because you've lost physical security.

I don't think you have to be physically the LAN... that's so TRON!

Re:exploit (1)

wiredlogic (135348) | more than 2 years ago | (#39797247)

The US Army thought it was a good idea to give enlistees access to tons of classified data and a DVD burner. Morons abound when expediency is valued more than security.

Re:exploit (1)

couchslug (175151) | more than 2 years ago | (#39797315)

"I'm still struggling to figure out how a live, well run network could be in danger."

Keywords: "well run".

scanners scripties (1)

TeddyR (4176) | more than 2 years ago | (#39795877)

Does this mean that there will now be another set of noise with script kiddies trying to create automated scanners to locate these devices, thus adding more junk for me to look through in the logs?

Re:scanners scripties (2)

Nerdfest (867930) | more than 2 years ago | (#39796095)

Perhaps. With power control systems and traffic systems using this stuff it's also possible that I may have a power outage at my office and a *very* quick trip home, where all the lights my way are green. Possibly.

SC Function initialized (0)

Anonymous Coward | more than 2 years ago | (#39795887)

[Slow_Clap()]{2}

Good. The SC function works.

So we have that.

This word, "rugged" (0)

Guppy06 (410832) | more than 2 years ago | (#39795891)

I do not think it means what you think it means.

Re:This word, "rugged" (4, Funny)

machine321 (458769) | more than 2 years ago | (#39796217)

It means "covered with carpet", right?

Not an issue at all (1)

hfollmann (564898) | more than 2 years ago | (#39795953)

It is a device for industrial manufacturing. In the past the terminals and switches were accessible to anybody allowed into that area. It is an access problem. The network in a manufacturing plant should be inaccessible from outside. Why is that even news?

Re:Not an issue at all (1)

mspohr (589790) | more than 2 years ago | (#39796029)

It is a device for industrial manufacturing. In the past the terminals and switches were accessible to anybody allowed into that area. It is an access problem. The network in a manufacturing plant should be inaccessible from outside.

Why is that even news?

Because morons DO allow access (physical and Internet) to these "secure" areas.

Re:Not an issue at all (2, Informative)

Anonymous Coward | more than 2 years ago | (#39796113)

Look up the term "defense in depth." You do not stop at establishing perimeter security, an appropriate security architecture involves many layers of security thus ensuring you aren't screwed if someone decides to install a DSL line in the plant. Or a cellular modem connected to the serial port of this device in an electric substation. Or in case Bob the IT genius decides to punch a telnet hole through the firewall to make remote admin easier.

Re:Not an issue at all (1)

hfollmann (564898) | more than 2 years ago | (#39796215)

Well, that sounds fine, but totally unrealistic. You have in an industrial plant thousands of these control devices. Maintaining a password list for all these is just not going to work. So builder Bob will have a default password and Joe the mechanic has one. And you the operator have to know who installed this piece of hardware. In an industrial plant not every button or any pressure valve control needs a password. In fact I say the must not have one.

Re:Not an issue at all (1)

plover (150551) | more than 2 years ago | (#39797907)

Well, that sounds fine, but totally unrealistic. You have in an industrial plant thousands of these control devices. Maintaining a password list for all these is just not going to work.

The devices don't need individual passwords, they need individual keys. Passwords are not keys. And deriving secure unique keys from a master key is a solved problem. You can use master key injection systems (like DUKPT). Or you can have the devices automatically create them when they are introduced to the network (like Z-Wave).

So builder Bob will have a default password and Joe the mechanic has one. And you the operator have to know who installed this piece of hardware.

Role based authority is also a way to ensure that the right people have the necessary access. You never give them the raw keys, you give them an access mechanism that uses the keys internally. Even that can be increased in security by using a smarter device capable of session level encryption, or even public key cryptography. Again, passwords are not keys.

In an industrial plant not every button or any pressure valve control needs a password. In fact I say the must not have one.

You're right. But they all need keys, or you have little integrity and no security.

So, when the pols start bitching about 'cyberwar' (1)

CanHasDIY (1672858) | more than 2 years ago | (#39795971)

We'll already be fully aware who our biggest enemy is: big business.

I'm certain the inevitable legislation to come from this will fairly and accurately reflect that fact...

Engineers overlooking the obvious design (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39796017)

The obvious correct hardware design was a simple switch (on the device) that allows usage of a default password. That way, you ensure both that you can put maintenance to the device in the future, whilst maintaining daily security.

Re:Engineers overlooking the obvious design (5, Insightful)

h4rr4r (612664) | more than 2 years ago | (#39796097)

Also when the switch is flipped it should not perform its normal work.

That way it cannot be left in that mode.

Re:Engineers overlooking the obvious design (1)

Anonymous Coward | more than 2 years ago | (#39796167)

You would soon find corporate procedure revised to require the switch to be always on because it saves $100k+ in downtime costs when the vendor pushes two updates in a month. You also have to make the switch prevent SCADA output and signal failure if left on.

The Matrix (0)

Anonymous Coward | more than 2 years ago | (#39796605)

Now we know what exploit Trinity used to shut down the power plant.

It was a typo. (5, Funny)

HiggsBison (678319) | more than 2 years ago | (#39796843)

It was supposed to be RiggedOS.

YES! (0)

Anonymous Coward | more than 2 years ago | (#39797681)

Finally! An excuse to declare war on Canada.

Captcha: ambushed

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>