Feeds

SCADA vuln imperils critical infrastructure, feds warn

Secret accounts open control systems to attack

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the US agency that safeguards the nation's critical infrastructure has warned.

Some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access, the Industrial Control System Cyber Emergency Response Team said in an advisory (PDF) issued on Tuesday. Palatine, Illinois–based Schneider Electric, the maker of the device, has produced fixes for some of the weaknesses and continues to develop additional mitigations.

The PLCs, or programmable logic controllers, reside at the lowest levels of an industrial plant, where computerized sensors meet the valves, turbines, or other machinery that's being controlled. The default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, and temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and something called the Windriver Debug port.

According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, attackers can exploit the weakness to log into devices and gain privileged access to its controls.

Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat because it could be used to sabotage their operation.

The FBI has said it's investigating claims a Houston, Texas–based water utility was breached last month by someone claiming to have accessed the internet-connected computers that control its generators, blowers, and other sensitive gear.

“Hard-coded backdoor credentials that give you administrator rights to a system are pretty severe,” said K. Reid Wightman, a security assessor with Digital Bond, a consultancy that focuses solely on ICS security. He said it can be hard for attackers to exercise too much control over an ICS by taking over the PLC alone, because there's often no indication what kind of equipment is connected to it.

“You don't have the human machine interface so you don't really know what the PLC is plugged into,” he explained. “I really don't know if the [device] is a release valve, an input valve, or a lightbulb.”

Research Wightman plans to release next month at the SCADA Security Scientific Symposium in Miami could increase the damage that attackers can do after gaining access to many widely used PLCs. Among other things, he said his findings would show how to tamper with the device so that they attack other systems they are attached to.

Indeed, in Monday's blog post, Santamarta said the hard-coded credentials could be exploited to install malicious firmware on the controllers. He also alluded to “non-documented functionalities with security implications” in the Schneider devices. He said he discovered the hidden accounts by reverse engineering the firmware that controls the PLCs.

A rudimentary search on the server search engine known as Shodan revealed what appear to be working links to several of the vulnerable Schneider models. Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones. Tuesday's ICS-CERT advisory said the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services. ®

Follow dangoodin001.

Internet Security Threat Report 2014

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.