Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Private Key Found Embedded In Major SCADA Equipment

Soulskill posted more than 2 years ago | from the you-didn't-think-this-through dept.

Encryption 105

sl4shd0rk writes "RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key (PDF). Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."

cancel ×

105 comments

Sorry! There are no comments related to the filter you selected.

Rule One (5, Funny)

ColdWetDog (752185) | more than 2 years ago | (#41085709)

Never, ever, name any software "Rugged".

You're just asking for it.

Re:Rule One (5, Funny)

SnoopJeDi (859765) | more than 2 years ago | (#41085745)

Is that why there are so many hookers named Chastity?

Re:Rule One (0)

Anonymous Coward | more than 2 years ago | (#41085801)

A buddy in child services once had to deal with a crack whore that was perennially pregnant, and he would have to take the children away from her (they were always born addicted). She named every single one Unique.

Re:Rule One (4, Insightful)

Spritzer (950539) | more than 2 years ago | (#41085833)

The proper term is "Erotic Interaction Specialist" and the name is all part of the experience that you're paying for.

Re:Rule One (1)

AmiMoJo (196126) | more than 2 years ago | (#41092317)

There is a strip club in my city called "Elegance", where the girls are anything but... I'm sure it is some kind of joke. The men who go there presumably don't want elegance, they want boobs and arse waved in their face.

Re:Rule One (2, Interesting)

Anonymous Coward | more than 2 years ago | (#41086143)

I couldn't help but notice that one of the players on the U.S. women's volleyball Olympic team was named "Destiny Hooker." I don't know what her parents had in mind for her, but she is a hell of a volleyball player.

Re:Rule One (0)

Anonymous Coward | more than 2 years ago | (#41090563)

Actually, it's spelled Destinee Hooker.

Re:Rule One (1)

Darinbob (1142669) | more than 2 years ago | (#41086475)

Don't forget Hope and Charity, virtues that appeal to many customers.

Re:Rule One (2)

SuspectNumber3 (2623637) | more than 2 years ago | (#41087325)

And that all of their customers are named John ?

Re:Rule One (2)

torjeh (1472865) | more than 2 years ago | (#41085809)

At least not as bad as Oracle's "Unbreakable Enterprise Kernel", IMHO.

Re:Rule One (1)

bill_mcgonigle (4333) | more than 2 years ago | (#41087329)


At least not as bad as Oracle's "Unbreakable Enterprise Kernel", IMHO.

about that... [oracle.com]

Re:Rule One (1)

sl4shd0rk (755837) | more than 2 years ago | (#41086149)

Never, ever, name any software "Rugged".

Good point, but all joking aside, this security flaw points out one of the huge problem with "little black boxes". Developers can do stupid stuff like this and nobody but the attacker, and the company, will ever know. It also makes for easy disregard of full disclosure thereby protecting your brand's image, even though you're making garbage software like this.

Re:Rule One (1)

Anonymous Coward | more than 2 years ago | (#41089291)

I know what you're getting at, but just for sake of knowledge, the name RuggedOS comes from the name of the company, Ruggedcom, which is known for making networking gear capable of surviving in harsh environments, mainly, places that need networking, but don't have A/C units. Think power distribution stations, traffic signal enclosures, remote metering stations, etc. A lot of traffic departments, aside from the state of Wisconsin, use these devices.

Not a surprise (5, Informative)

jandrese (485) | more than 2 years ago | (#41085759)

The embedded controller market is a market full of devices programmed by hardware engineers, not by security professionals. They don't open up their systems for peer review and thus security flaws make it into the final product. There is definitely a sense of security through obscurity with those products, and it almost works except that the internet makes it too easy to broadcast information to the world.

At least now they know that their system is insecure, instead of having it come as a complete surprise when some attacker exploits the weakness to cause some sort of disaster.

Re:Not a surprise (-1)

Anonymous Coward | more than 2 years ago | (#41085883)

Ah La "Live Free or Die Hard!"

Re:Not a surprise (1)

Iniamyen (2440798) | more than 2 years ago | (#41085915)

No one's talking about a fire sale!

Re:Not a surprise (0)

Anonymous Coward | more than 2 years ago | (#41088557)

I would like to live free AND die hard.

Re:Not a surprise (1)

Anonymous Coward | more than 2 years ago | (#41086581)

This sort of security bypass "feature" is designed into the system on purpose, most likely at the behest of the German government and/or military. This is similar to how things are done in the US (and most every nation).

Thinking that any sort of high tech device is "secure" is certainly a mark of insanity. Then we have running an entire nation's worth of nuclear reactors on a shared network... insanity on a level that can only be described as "infinitely stupid".

Re:Not a surprise (4, Interesting)

FhnuZoag (875558) | more than 2 years ago | (#41086841)

RuggedOS was a recent acquisition by Seimens from a Canadian firm, who had various security worries before its sale, but took care to suppress such news to preserve its valuation. It's doubtful there's any German government involvement. What actually seems to have happened is that the RuggedOS was just a huge turd of a product, which its new owners are slowly coming to discover.

Re:Not a surprise (0)

Anonymous Coward | more than 2 years ago | (#41090147)

The product was moved under the umbrella of an unassailable multinational firm that has ties to the German government, military, NATO, etc. It is no accident that over time all important security infrastructure is assimilated by large companies, i.e. why there is no regulation of this aspect of industry by government. It is far preferable for government to work with a few giant companies for the mutual interests of their mutual owners than it is to work with a bunch of little companies, some of which may have real caring people in them.

Re:Not a surprise (2)

LordLimecat (1103839) | more than 2 years ago | (#41091723)

Theres TONS of regulation at the top, its just that big companies are super good at dealing with it.

Asking for MORE regulation just helps to kill the competition you seem to be implying is needed.

Re:Not a surprise (2)

Darinbob (1142669) | more than 2 years ago | (#41086647)

There can be problems trying to get a lot of security into embedded products. There is resistance from management at times because it slows down the release. If the customers aren't demanding it then it's an extra expense without income. Plus good security is always inconvenient by its nature. The more convenient you make something the less secure it becomes. Customers want to just plug in a device and have it work, they want to do upgrades without any hassles, etc.

Then having security gets in the way of the developers. A secure device can't be debugged as easily, you can't sniff the network traffic, you're always having to figure out a way around security just to get the job done. Often you get special developer boards without security, but sometimes there's the temptation to stick in back doors. The person putting in the back door may not understand all about security and think it could be secure just to check the state of a pin; incorrectly assuming that this information would never leave the company, that no one is ever going to scrape off the potting material, that customers would lack technical ability to attach a probe to test point, etc.

Re:Not a surprise (2)

lintmint (539531) | more than 2 years ago | (#41086729)

Lame excuse.
If you're a professional engineer tasked with utilizing private / public key encryption you should have known enough to secure the private key.
If you didn't know better your incompetent, if you did know better your as negligent as the management team that let it happen.

Re:Not a surprise (2)

jandrese (485) | more than 2 years ago | (#41087043)

But they got the product out the door on time and on budget and it's not hard for the customer to use, so everybody is happy. At least for a few years until the blatant security vulnerabilities are published.

Re:Not a surprise (1)

AmiMoJo (196126) | more than 2 years ago | (#41092341)

They will just claim that security problems are the work of evil Chinese cyber-terrorists. No-one expects aircraft to be bomb-proof so why expect software not to have security flaws that terrorists can exploit?

Of course we can actually make bomb-proof cargo containers for aircraft, but the added weight and additional cost mean they don't get used much.

anything that connects to commodity stuff is evil (2)

swschrad (312009) | more than 2 years ago | (#41087121)

you cannot have security if you have random connections... walkabout machines, removeable media that can be read by office and home machines, modem connections, most evil The Connected Internet... that permit a cross of the security barrier.

there has to be an airgap, and the secure stuff stays inside the secure area, and the other world(s) can't get in there.

otherwise, you are open to attack, and eventually will be attacked.

amazing how damn lazy everybody has gotten. I learned this in the 70s.

Re:anything that connects to commodity stuff is ev (1)

SuspectNumber3 (2623637) | more than 2 years ago | (#41087387)

So the real problem is commodity IEC 60320 power cords, that explains so many things.

Re:anything that connects to commodity stuff is ev (0)

Anonymous Coward | more than 2 years ago | (#41090949)

Combine a IEC 60320 power cord with a PS/2 keyboard connector and you have a problem, unless the ground on your building is protected.

Of course it has a private key (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41085769)

That part isn't the story. The story is the fact that they all have the same one. That part is insanity. Without key lifecycle management, including creation, distribution, and revocation, you might as well not use asymmetric encryption at all.

Re:Of course it has a private key (2)

hlavac (914630) | more than 2 years ago | (#41086335)

Having a single key sure simplifies the NSA backdoor management though. Taxpayers are saving money here!

Re:Of course it has a private key (0)

Anonymous Coward | more than 2 years ago | (#41086893)

I've never heard of key lifecycle management and I don't know enough to pick the good hits from a google search, could you please drop a couple of good newbie links so I could get started? Or mention some books. That would be most helpful.

Re:Of course it has a private key (1)

sexconker (1179573) | more than 2 years ago | (#41087909)

I've never heard of key lifecycle management and I don't know enough to pick the good hits from a google search, could you please drop a couple of good newbie links so I could get started? Or mention some books. That would be most helpful.

Old key(s) compromised, use new key(s).
Make sure everyone knows to trust new key(s).

Re:Of course it has a private key (0)

Anonymous Coward | more than 2 years ago | (#41090113)

And how do you recommend distributing this new key? Sounds like another crack in the wall...

Re:Of course it has a private key (0)

Anonymous Coward | more than 2 years ago | (#41092847)

I've never heard of key lifecycle management and I don't know enough to pick the good hits from a google search, could you please drop a couple of good newbie links so I could get started? Or mention some books. That would be most helpful.

Basically it boils down to only using keys for a certain limited period of time before marking them as old and generating new ones. Wrapped up with that of course is how you decide when they are too old, and how you get the new keys in place without exposing them or allowing someone to insert a key of their own.

I'd start by going to the Wikipedia and follow the links they use as citations. Also look for information from CERT and I'd bet that Bruce Schneier has said a few things about it as well.

Re:Of course it has a private key (1)

oreaq (817314) | more than 2 years ago | (#41093403)

It's called a public-key infrastructure. The Wiki article on PKI [wikipedia.org] is not very good, but still gives some kind of introduction to the topic.

Re:Of course it has a private key (1)

OAB_X (818333) | more than 2 years ago | (#41089353)

Even if they do have all the same one (after all, all devices come with the same default password), it isn't an issue if you can change the key is it?

WiDOT (2)

starblazer (49187) | more than 2 years ago | (#41085771)

Hooray! We're all doomed... DOOOOOOOOOOOOOOOOOMED.

Wait, what does the WiDOT have that's SCADA that would end the world? I think the worst that would happen is that the times on the billboards above 41 would be wrong... or warn us of zombies ahead.

Re:WiDOT (2)

Antipater (2053064) | more than 2 years ago | (#41085979)

Traffic light overrides?

Re:WiDOT (1)

vlm (69642) | more than 2 years ago | (#41086557)

Traffic light overrides?

Lately they've been on a building frenzy adding those gates that drop to prevent people from entering the interstate, like the ones they use in flyover sand states so they can evac from the monthly hurricane using both sides of the interstate... You know, for the coastal defense of Wisconsin during hurricane season. Seriously we're about 1200 miles away from a coast, I have no idea why we have brand new interstate gates. Probably black helicopter and tinfoil hat time. When Obama declares martial law and drops those gates there's going to be a lot of cheese heads unable to drive up to green bay for the packers game... and Thats when the revolution will begin... not until pro sports are impacted.

Also Milwaukee is chock full of rivers and remotely operated river bridges seemingly every other street.

I don't think you could directly kill anyone or destroy anything, but you could fairly well paralyze all ground traffic if you owned the WiDOT.

Re:WiDOT (2)

starblazer (49187) | more than 2 years ago | (#41086811)

They put those gates up because they want to be able to shut the highway down when some FIB decides that 90 was a great speed and rolls his lexus eight times over and causes a semi to jack knife and roll.

In my neck of the woods, the only thing that's automatic about these gates are the lights. You still have to dispatch an officer to the gate to crank it down. Once its down, the officer can relieve himself to do other tasks if the closure is going to be long-term. The alternative is to keep an expensive officer posted at every on-ramp to prevent people from getting on the highway compounding the issue.

Re:WiDOT (1)

AF_Cheddar_Head (1186601) | more than 2 years ago | (#41087189)

Not many hurricanes in Colorado but we do get BLIZZARDS and they use the gates to close the road during them. Seems to me I remember a few blizzards growing up in Wisconsin so ya think that might be part of the reason.

Re:WiDOT (1)

vlm (69642) | more than 2 years ago | (#41087265)

They may be planning to start to drop the gates whenever it snows, but that would be a first.

Speaking as a local with decades of experience they rely on inadequate surface street plowing to keep people off the interstate during blizards. If I can get to the interstate they plow continuously and its an easy drive... HOWEVER good luck getting there if they won't plow in front of your house until the storm ends, or they won't plow main roads more than every couple hours. The last thing you'd want to do is close the interstate because the fire trucks and ambulances need to use it. I'm just not seeing it.

Re:WiDOT (0)

Anonymous Coward | more than 2 years ago | (#41087237)

Those gates are so they can keep people off the interstates during blizzards. Drive through Colorado and Utah and you'll see them more often then not.

Re:WiDOT (1)

starblazer (49187) | more than 2 years ago | (#41086751)

Most overrides I've seen nowadays have a visible feedback showing that it's activated. Additionally, they have been activating to all-directions-all-red so that the emergency vehicles may just go in the opposite lane to get around. So, other than snarling traffic for a bit, nothing major.

Re:WiDOT (1)

rrohbeck (944847) | more than 2 years ago | (#41087535)

Railway switches and signals? That would be an *interesting* playground.

Re:WiDOT (1)

R3d M3rcury (871886) | more than 2 years ago | (#41087729)

US Navy...hmm..polaris missile launch destroys a major city. Chevron oil refineries start catching fire and economic chaos ensues.

But the Wisconsin Department of Transportation?! Dear God--I could cut off cheese deliveries to North America! Now that's power!!

(Note: I'm sure that I couldn't use this hack to launch a polaris missile. Yes, I'm aware there are tons of failsafes regarding nuclear weapons. This is meant to be humorous.)

Re:WiDOT (1)

sexconker (1179573) | more than 2 years ago | (#41087949)

California cheese is better.

Simens is suicidal (1)

dragisha (788) | more than 2 years ago | (#41085779)

It is obvious by now.

To provide "mission critical" and then share weaknesses around.

To insert single point of privacy/authorization failure...

And all that from a German company.

Still puzzled.

Re:Simens is suicidal (5, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#41085907)

And all that from a German company.

Well, to be fair, the alloy chosen, the temper, and tooling tolerances, on the shared private key were damn beautiful...

Re:Simens is suicidal (1)

lewi (806353) | more than 2 years ago | (#41087979)

It's unfortunate that a major event, or political push, will need to occur before things change.

The prevailing attitude about industrial equipment, such as PLC and SCADA systems and related items seems to be that even if someone gained access, they'd have to be familiar with the software, own a copy of the software, and know what they are doing.

In other words, only an engineer could hack such a system and they would never do that; so we have nothing to worry about.

I suspect that the same attitude existed relating to the PDP 7 long ago.

Re:Simens is suicidal (1)

gestalt_n_pepper (991155) | more than 2 years ago | (#41086021)

If you've ever called Seimen's Atos technical support in the Philippines, you'd know they're not just suicidal, but Kafkaesque (and of course, incompetent).

What?? (1, Funny)

Anonymous Coward | more than 2 years ago | (#41085785)

What the fuck is wrong with people? Don't they know we live in a post-PC world? Just throw that old gear on the trashpile of history where it belongs and buy everybody iPads. Problem solved.

L /thread

Re:What?? (-1)

Anonymous Coward | more than 2 years ago | (#41085843)

Everyone knows that only nerds still use keyboards and mice and want to install their own software or do compex work. Everyone else just posts about their last trip to the bathroom to Twitter from their iShiny.

Re:What?? (1)

aix tom (902140) | more than 2 years ago | (#41086069)

Yeah. Just like you could throw away all those old Caterpillar Excavators and buy everyone a Ferrari 612 Scaglietti to do that kind of work.

Re:What?? (1)

Anonymous Coward | more than 2 years ago | (#41086195)

Caterpillar should just stop making those. In my survey of self-reported results only 1% of people have ever used one. Stop being some crusty old person who is resistant to change.

what goes around comes around (-1, Flamebait)

magarity (164372) | more than 2 years ago | (#41085805)

Well, the CIA did this to the Soviets, now the Chinese are doing it to the US. Why it didn't occur to the US that this trick couldn't be used on them in turn is pretty monumental.

Re:what goes around comes around (0)

Anonymous Coward | more than 2 years ago | (#41086173)

Obvious answer says if the CIA did it to the Russians, and the CIA exploited Seimens controllers in Stux and Flame, maybe the CIA is who put this in too.

Re:what goes around comes around (0)

Anonymous Coward | more than 2 years ago | (#41086593)

I seem to recall a DARPA initiative to come up with ways of finding hidden backdoors built into hardware.
I've forgotten the details, but look up the Trust in Integrated Circuits program. Then too is the industry speculation that certain failures in Iraqi and Syrian electronics during recent conflicts was the result of such backdoors and not conventional EA/ECM techniques. So the US military is certainly aware of the possibility, it's just that, for now, they do not yet have any way of detecting or dealing with it.

Re:what goes around comes around (4, Informative)

FhnuZoag (875558) | more than 2 years ago | (#41086695)

There is no involvement of the Chinese in this story at all. The original company that created RuggedOS is Canadian. Who the heck modded the parent +5 Insightful?

Re:what goes around comes around (0)

Anonymous Coward | more than 2 years ago | (#41086781)

fear crazed americans

Re:what goes around comes around (0)

Anonymous Coward | more than 2 years ago | (#41087019)

They may be based in Canada, but RuggedCom's equipment is manufactured in China.

Re:what goes around comes around (3, Funny)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#41087423)

Are you saying that Snow Mexicans are behind this threat?

Re:what goes around comes around (1)

Yo Grark (465041) | more than 2 years ago | (#41091429)

Canadians?

Yo Grark

Do I even want to know? (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#41085815)

What possible reason would there be to have a shared private key among all devices? Even if there is some (weird, and probably not a good idea) requirement that it be identical across an entire user site, that should be part of a programming/keyfill process. If uniqueness is good, it should just generate a key on first boot...

Re:Do I even want to know? (1)

vlm (69642) | more than 2 years ago | (#41086777)

What possible reason would there be to have a shared private key among all devices? Even if there is some (weird, and probably not a good idea) requirement that it be identical across an entire user site, that should be part of a programming/keyfill process. If uniqueness is good, it should just generate a key on first boot...

My guess from dealing with embedded stuff as a user and programmer, and from dealing with lots of idiots, but no experience with this particular hardware, is the intersection is probably something like a "secure boot and config" infrastructure where only official firmware upgrades and configurations can be uploaded.

Anyone out there who's ever cut and pasted a cisco config knows what I'm talking about. Now imagine having to sign anything you cut and paste into the config with a annual license key, which eventually via the magic of SSL traces back to the one true mfgr key.

So you have to pay an annual license fee or you're unable to reconfigure, or perhaps even reboot, the hardware.

A pretty good licensing scheme, until it gets you owned.

The other vector is probably the traditional "your idea sucks so here's an awful implementation to make you go away". OK we'll do your dumb encryption thing so the terrorists can't steal your proprietary trade secret stoplight camera revenue maximizing sequence times now with 5 millisecond yellow lights only when the redlight camera is installed and operating, but we'll give you the dumbest possible crypto because its an idiotic idea and sales might like your commission check but I hate you. Oh, you say another totally different customer two years later is now relying on our "idiot grade" crypto to run a nuclear reactors cooling pumps... um, whoops sorry my bad.

Re:Do I even want to know? (1)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#41087495)

Wouldn't the signed binary/config scenario you describe rely on a shared public key across all devices, with unique private keys per support contract or customer and the secret CA keys at the top? There are certainly ways to screw that up; but there shouldn't be any need to expose private keys on endpoints at all, and such an arrangement can and does work(SSL is fucked at an organizational level; but the math works just fine).

Re:Do I even want to know? (1)

OAB_X (818333) | more than 2 years ago | (#41089369)

Easy to think of answer is that if you are required to validate a One True Config as part of an RFP process, and that the firmware installed on all devices must be 'identical' and come with SSL out of the box, that you need to pre-program all devices with the same key.

Should you be able to change the key that mitigates the problem entirely.

"If the claims are valid..." (5, Informative)

Jane Q. Public (1010737) | more than 2 years ago | (#41085819)

Um..... since, according to the document,

"The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc."

I strongly suspect that the claims are valid.

Copy in PEM format? (0)

Anonymous Coward | more than 2 years ago | (#41085917)

Anyone care to post the PEM format version of the private key here? It would be helpful to confirm that it is not protected by a password that is also hardcoded into the firmware.

Re:Copy in PEM format? (1)

Anonymous Coward | more than 2 years ago | (#41085985)

Nice try, chinese hacker!

just do the math (1)

swschrad (312009) | more than 2 years ago | (#41087155)

i-th root of pi minus 1 in a 17-bit field. you're welcome, feel free to implement it in Gray code.

Great! (1)

lennier1 (264730) | more than 2 years ago | (#41085925)

By now they're not even trying anymore.

Well... Surprise! Surprise! Surprise! (5, Interesting)

gestalt_n_pepper (991155) | more than 2 years ago | (#41085987)

And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer? Takers? Any takers on that action?

Note to Siemens and the US military: You are not magically protected from software sabotage, particularly when you farm out your software production overseas.

Re:Well... Surprise! Surprise! Surprise! (4, Insightful)

CanHasDIY (1672858) | more than 2 years ago | (#41086233)

And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer?

Meh; gross incompetence is far more likely, considering history...

large committee, overruled by the director (1)

swschrad (312009) | more than 2 years ago | (#41087175)

isn't it always?

Re:Well... Surprise! Surprise! Surprise! (1)

lewi (806353) | more than 2 years ago | (#41088121)

Nah. Arrogance and apathy.

The design meeting probably sounded a little like this: "who are you worried about? Why would anyone be interested in any of this anyway? They'd first have to know (insert secret here) and know where to look it up. And they'd need the right software and settings. Even if they did, what would they do with it? See, one in a million chance that all of that comes true."

Maybe you're right, it does sound like incompetence...

Re:Well... Surprise! Surprise! Surprise! (1)

RocketRabbit (830691) | more than 2 years ago | (#41086319)

We just ignore the problem, just like we ignore all the Manchurian Microchips that infest military, government, commercial, and personal computers in the USA.

Hey, guess what - any chip fabbed in China or Israel probably has extra code doing things we will never see.

Re:Well... Surprise! Surprise! Surprise! (4, Interesting)

FhnuZoag (875558) | more than 2 years ago | (#41086739)

We're talking about a Canadian company who, when confronted with the backdoor earlier this year, refused to fix it. So it's safe to say that the company just doesn't care about security. Check you sinophobia at the door, please.

Re:Well... Surprise! Surprise! Surprise! (1)

gestalt_n_pepper (991155) | more than 2 years ago | (#41087223)

So I should replace it with Canuckaphobia? Look, I'm not suggesting that China, Pakistan, Iran, etc. are any worse than we are. I'm pointing out that this is an obvious attack vector they would be foolish to ignore and they are anything but foolish. If anything, we're fools for ignoring the possibility to appease a bunch of civilian contractors who contributed to the campaign of Congressperson X, Y or Z.

Re:Well... Surprise! Surprise! Surprise! (0)

Anonymous Coward | more than 2 years ago | (#41088243)

While my point is that security vulnerabilities are an international phenomenon, not one you can solve by whitelisting or blacklisting a particular country.

Re:Well... Surprise! Surprise! Surprise! (1)

rrohbeck (944847) | more than 2 years ago | (#41087587)

Come on, Canadians are nice guys, there can be only whitehats in Canada. Canadians would never exploit security holes for malicious purposes.

Re:Well... Surprise! Surprise! Surprise! (1)

OAB_X (818333) | more than 2 years ago | (#41089417)

They fixed it. http://www.ruggedcom.com/productbulletin/ros-security-page/ [ruggedcom.com]
A year to late yes, but it was fixed.

As far as the original vulnerability goes, that required someone to connect to the public internet a device an authentication protocol which would transmit the password in the clear (telnet, RSH). Plus, it was a L2 switch, not a router.

Maybe like many small hardware engineering companies it isn't like they don't care about security, maybe management is just bad at supporting it and QA testing it ...

Re:Well... Surprise! Surprise! Surprise! (1)

houghi (78078) | more than 2 years ago | (#41087273)

from an unfriendly foreign power

Just food for thought: Siemens is German. The unfriendly foreign power could be any non-German country, including the USofA. Oh and Germany.

Mr. Potatohead. (1)

tgd (2822) | more than 2 years ago | (#41086139)

Mr Potatohead!

Backdoors are NOT secrets!

No problem (3, Insightful)

aaaaaaargh! (1150173) | more than 2 years ago | (#41086179)

For a few million dollars Siemens will quickly patch it.

Idiot Certificate Authorities (2, Informative)

Anonymous Coward | more than 2 years ago | (#41086443)

I lay blame at the CA's, I've spoken to two CA's about using certificates in Embedded devices using lots of low cost subdomains guid.domain.com Both recommended that I just use a wildcard certificate.

quickly (1)

swschrad (312009) | more than 2 years ago | (#41087191)

by changing the single worldwide default key and sending out new manual pages telling you what it is.

Not stupid (0)

Anonymous Coward | more than 2 years ago | (#41086271)

They really didn't think the PLA was going to miss an opportunity for sabotage like this.
If the rich people in the US did not want to anger the PRC we would already have restricted purchasing anything that handles data for infrastructure or military to US made only.

I bow down to our new Panda over lords (0)

Anonymous Coward | more than 2 years ago | (#41086331)

I guess Richard Stallman was right, Run free software or risk losing the war and your freedoms.

When all your drones stop working Jar-Jar wins.

What the hell (0)

Anonymous Coward | more than 2 years ago | (#41086367)

who's the researcher behind this? is he some sort of hacker who has it out for Siemens??/

How do we know he isn't a CIA cover story for spreading FUD about German engineering?

Outsourced (0)

Anonymous Coward | more than 2 years ago | (#41086495)

This is where we discover that the software development was outsourced to China or India, right?

Newbie question (1)

Psicopatico (1005433) | more than 2 years ago | (#41087347)

How can one be sure the key in question is a private one and not a public key (aside from the working PoC)?

Are there markings who clearly differentiate the two like:
<!--PRIVATE KEY GOES HERE --!>...<!-- END PRIVATE KEY --!>
or something?

Re:Newbie question (3, Informative)

dlgeek (1065796) | more than 2 years ago | (#41087603)

Actually, yes. The most common format for storing RSA keys is PEM and it looks like this (randomly generated key just for this post):

-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJBAKLdFpep/qw/SIf/wsO4T17GnttlhLjLrVCfM9p4D2gnnz3OiO45
Xw1wonFOPR0D9ewAIi4yAhcMFXc2jyw3GbMCAwEAAQJAJV7R1k89jsyemgZH7J0Y
KUkuHm22/KhPxpYhUdoGvwEqvuyEFdM6kGuFj5AwMD/R8E9g1JFrQSej1aXCvHM5
oQIhANE3nxoo1pSLRrPv3/dPkq8l9VYtTcjCkiivbh6XHVa5AiEAx0gCx6DMBiGA
rxdplBG9pA91lUptz6wQbiMsFsvzfcsCIB1zD+E1yGamaDBh3ovIVqRy2mLkA6Pz
x3EUqJKDwOx5AiBW7DgaLy8O9YoV1VZ9+YcIip21MrPXQ6we/kR65RceJQIgYDV0
I5e4ncpwsbz6q+VWjZ3mNaOnNgkxESmtQY4vzQo=
-----END RSA PRIVATE KEY-----

The base64 data in the middle is a structure that contains a bunch of numbers. The numbers present in a private key are different (a supserset) of a public key, so even if it's in a format that doesn't have the BEGIN..., by parsing the structure, you can see what's in it. (Try pasting the key block above into the stdin of openssl rsa -noout -text.)

Re:Newbie question (0)

Anonymous Coward | more than 2 years ago | (#41087935)

It looks like it's 512 bits from the length of the block you pasted. I think you should see if Siemens wants to hire you to develop the new security system for ROS.

It's not the first time.... (0)

Anonymous Coward | more than 2 years ago | (#41088059)

It's not that surprising and not limited to the embedded controller market. Not that long ago (in the last couple years) a major network equipment manufacturer included a private key that allowed full ssh access to the box without a password.

*yawn* (1)

jroysdon (201893) | more than 2 years ago | (#41090833)

Your management plane should not be accessible to anything but your management VLAN. If the bad guys have access to that, it's already all over. With management VLAN access they'd just MitM attack your SSL session and serve another "factory" cert that isn't signed by a CA and most admins will just blindly ignore it. This is not news, but a low priority patching event.

Re:*yawn* (0)

Anonymous Coward | more than 2 years ago | (#41091093)

Thanks, Siemens PR! We appreciate your helpful advice.

TR069 key (0)

Anonymous Coward | more than 2 years ago | (#41092161)

My local ISP has been supplying his own custom ordered vdsl router with a custom compiled firmware. One of the missing bits are the TR-069 and the auth sections from both the webui and the telnet. My bet is that they buried their key somewhere so they can force feed me firmware updates and so on.
So now any half brained hacker can brute force their key and gain instant access to my lan. Bet they can tunnel in too.

Wanted (1)

ThatsNotPudding (1045640) | more than 2 years ago | (#41092809)

Crappy, lazy coders needed to undermine the entirety of industrialized society. Must be willing to kowtow to clueless, incompetent managers to ensure all life or death controls are as simplistic as a coloring book and as secure as an unlocked screen door.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?