Feeds

Feds slam hacker-friendly backdoors in jalopy, grub factories

Kit easily violated by miscreants with 'minimal skill'

3 Big data security analytics techniques

Security researchers have uncovered hard-coded user accounts that could act as backdoors into food, car, and agricultural production systems across the world.

The flaw, which allows attackers to launch remote exploits, was found in a pair of industrial control devices.

The security hole was found in the BL20 and BL67 Programmable Gateways made by German firm Turck. The kit is used across many industries - including agriculture and food, automotive and manufacturing - to control industrial plant equipment in the United States, Europe and Asia.

Left unresolved, the flaw might be used by hackers to shut down production lines or otherwise create havoc on systems managed with the vulnerable controllers.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory notice providing links to updated firmware from Turck that mitigates against possible attacks.

The firmware update removes the hard-coded accounts accessible by the FTP service, thus preventing attackers from remotely accessing the device by using hard-coded credentials.

No known public exploits specifically target the vulnerability. However attackers with only minimal skill could potentially carry out an attack, ICS-CERT warns.

The flaws were uncovered by IOActive Labs, whose advisory (PDF) explains that the security snafu created a ready means to plant malware on insecure kit.

This vulnerability allows an attacker to remotely access the device, via its embedded FTP server, by using the undocumented hard-coded credentials. Thus, the attacker can install a trojanized firmware to control communications and processes.

This malicious code may create false communication between remote I/Os, PLCs, or DCS systems in order to compromise additional devices, disrupt legitimate services, or alter industrial processes.

Ruben Santamarta, the IOActive security consultant who unearthed the bugs, explained that the unaddressed flaw left the devices wide open to hackers who happened to know the default login credentials for the kit.

“These hard-coded user accounts pose a significant threat to organisations that have deployed the vulnerable Turck devices," he said. "Any attacker with knowledge of the credentials can effectively remotely control the devices and reap havoc on the network - easily disrupting or shutting down critical production lines."

"Affected organisations should immediately apply the updated firmware from Turck to remove these backdoors,” he added.

Santamarta added that the presence of the backdoors in industrial control kit is sadly typical of insecure product development across the sector.

“It is both surprising and disappointing that hard-coded user accounts like these continue to crop up in Industrial Control Systems. Vendors and purchasers of such critical technologies should take great care to ensure that similar vulnerabilities do not affect future product lines. The industry as a whole still has a long way to go in implementing secure development lifecycle principles,” he added. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.