Feeds

Feds slam hacker-friendly backdoors in jalopy, grub factories

Kit easily violated by miscreants with 'minimal skill'

Securing Web Applications Made Simple and Scalable

Security researchers have uncovered hard-coded user accounts that could act as backdoors into food, car, and agricultural production systems across the world.

The flaw, which allows attackers to launch remote exploits, was found in a pair of industrial control devices.

The security hole was found in the BL20 and BL67 Programmable Gateways made by German firm Turck. The kit is used across many industries - including agriculture and food, automotive and manufacturing - to control industrial plant equipment in the United States, Europe and Asia.

Left unresolved, the flaw might be used by hackers to shut down production lines or otherwise create havoc on systems managed with the vulnerable controllers.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory notice providing links to updated firmware from Turck that mitigates against possible attacks.

The firmware update removes the hard-coded accounts accessible by the FTP service, thus preventing attackers from remotely accessing the device by using hard-coded credentials.

No known public exploits specifically target the vulnerability. However attackers with only minimal skill could potentially carry out an attack, ICS-CERT warns.

The flaws were uncovered by IOActive Labs, whose advisory (PDF) explains that the security snafu created a ready means to plant malware on insecure kit.

This vulnerability allows an attacker to remotely access the device, via its embedded FTP server, by using the undocumented hard-coded credentials. Thus, the attacker can install a trojanized firmware to control communications and processes.

This malicious code may create false communication between remote I/Os, PLCs, or DCS systems in order to compromise additional devices, disrupt legitimate services, or alter industrial processes.

Ruben Santamarta, the IOActive security consultant who unearthed the bugs, explained that the unaddressed flaw left the devices wide open to hackers who happened to know the default login credentials for the kit.

“These hard-coded user accounts pose a significant threat to organisations that have deployed the vulnerable Turck devices," he said. "Any attacker with knowledge of the credentials can effectively remotely control the devices and reap havoc on the network - easily disrupting or shutting down critical production lines."

"Affected organisations should immediately apply the updated firmware from Turck to remove these backdoors,” he added.

Santamarta added that the presence of the backdoors in industrial control kit is sadly typical of insecure product development across the sector.

“It is both surprising and disappointing that hard-coded user accounts like these continue to crop up in Industrial Control Systems. Vendors and purchasers of such critical technologies should take great care to ensure that similar vulnerabilities do not affect future product lines. The industry as a whole still has a long way to go in implementing secure development lifecycle principles,” he added. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.