Original URL: http://www.theregister.co.uk/2013/05/24/turck_industrial_control_backdoor/

Feds slam hacker-friendly backdoors in jalopy, grub factories

Kit easily violated by miscreants with 'minimal skill'

By John Leyden

Posted in Security, 24th May 2013 11:04 GMT

Security researchers have uncovered hard-coded user accounts that could act as backdoors into food, car, and agricultural production systems across the world.

The flaw, which allows attackers to launch remote exploits, was found in a pair of industrial control devices.

The security hole was found in the BL20 and BL67 Programmable Gateways made by German firm Turck. The kit is used across many industries - including agriculture and food, automotive and manufacturing - to control industrial plant equipment in the United States, Europe and Asia.

Left unresolved, the flaw might be used by hackers to shut down production lines or otherwise create havoc on systems managed with the vulnerable controllers.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory notice providing links to updated firmware from Turck that mitigates against possible attacks.

The firmware update removes the hard-coded accounts accessible by the FTP service, thus preventing attackers from remotely accessing the device by using hard-coded credentials.

No known public exploits specifically target the vulnerability. However attackers with only minimal skill could potentially carry out an attack, ICS-CERT warns.

The flaws were uncovered by IOActive Labs, whose advisory (PDF) explains that the security snafu created a ready means to plant malware on insecure kit.

This vulnerability allows an attacker to remotely access the device, via its embedded FTP server, by using the undocumented hard-coded credentials. Thus, the attacker can install a trojanized firmware to control communications and processes.

This malicious code may create false communication between remote I/Os, PLCs, or DCS systems in order to compromise additional devices, disrupt legitimate services, or alter industrial processes.

Ruben Santamarta, the IOActive security consultant who unearthed the bugs, explained that the unaddressed flaw left the devices wide open to hackers who happened to know the default login credentials for the kit.

“These hard-coded user accounts pose a significant threat to organisations that have deployed the vulnerable Turck devices," he said. "Any attacker with knowledge of the credentials can effectively remotely control the devices and reap havoc on the network - easily disrupting or shutting down critical production lines."

"Affected organisations should immediately apply the updated firmware from Turck to remove these backdoors,” he added.

Santamarta added that the presence of the backdoors in industrial control kit is sadly typical of insecure product development across the sector.

“It is both surprising and disappointing that hard-coded user accounts like these continue to crop up in Industrial Control Systems. Vendors and purchasers of such critical technologies should take great care to ensure that similar vulnerabilities do not affect future product lines. The industry as a whole still has a long way to go in implementing secure development lifecycle principles,” he added. ®