Feeds

SCADA vuln imperils critical infrastructure, feds warn

Secret accounts open control systems to attack

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the US agency that safeguards the nation's critical infrastructure has warned.

Some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access, the Industrial Control System Cyber Emergency Response Team said in an advisory (PDF) issued on Tuesday. Palatine, Illinois–based Schneider Electric, the maker of the device, has produced fixes for some of the weaknesses and continues to develop additional mitigations.

The PLCs, or programmable logic controllers, reside at the lowest levels of an industrial plant, where computerized sensors meet the valves, turbines, or other machinery that's being controlled. The default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, and temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and something called the Windriver Debug port.

According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, attackers can exploit the weakness to log into devices and gain privileged access to its controls.

Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat because it could be used to sabotage their operation.

The FBI has said it's investigating claims a Houston, Texas–based water utility was breached last month by someone claiming to have accessed the internet-connected computers that control its generators, blowers, and other sensitive gear.

“Hard-coded backdoor credentials that give you administrator rights to a system are pretty severe,” said K. Reid Wightman, a security assessor with Digital Bond, a consultancy that focuses solely on ICS security. He said it can be hard for attackers to exercise too much control over an ICS by taking over the PLC alone, because there's often no indication what kind of equipment is connected to it.

“You don't have the human machine interface so you don't really know what the PLC is plugged into,” he explained. “I really don't know if the [device] is a release valve, an input valve, or a lightbulb.”

Research Wightman plans to release next month at the SCADA Security Scientific Symposium in Miami could increase the damage that attackers can do after gaining access to many widely used PLCs. Among other things, he said his findings would show how to tamper with the device so that they attack other systems they are attached to.

Indeed, in Monday's blog post, Santamarta said the hard-coded credentials could be exploited to install malicious firmware on the controllers. He also alluded to “non-documented functionalities with security implications” in the Schneider devices. He said he discovered the hidden accounts by reverse engineering the firmware that controls the PLCs.

A rudimentary search on the server search engine known as Shodan revealed what appear to be working links to several of the vulnerable Schneider models. Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones. Tuesday's ICS-CERT advisory said the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services. ®

Follow dangoodin001.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.