Homebrew crypto SNAFU on electrical grid sees GE rush patches
Boffins turned up hard-coded password in ancient controllers
Updated General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack.
The company hasn't published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas).
The three New York University researchers say they cracked the homebrew encryption in the ancient GE Multilin systems. The abstract is light on detail, but it appears the researchers found a hardcoded password: “we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack”.
GE told Reuters the bug is in units dating from the 1990s (a time when, The Register notes, “homebrew” encryption was the norm, rather than known bad practice).
GE's Annette Busateri told Reuters the company is notifying customers and rolling out upgrades for the bug. There's a patch available for five out of the six affected products, she said, with the sixth to land soon.
The protection relays are used to cut off parts of the grid to protect against dangerous conditions.
A remote exploit would demand that the relays are connected to the Internet, with inadequate protection against access.
The researchers, Anastasis Keliris and Charalambos Konstantinou of New York University and Mihalis Maniatakos of NYU in Dubai, say they'll show off an exploit on a feeder management relay – but don't specify that they'll be demonstrating a remote attack.
The Register has contacted GE for comment. ®
Update: America's ICS-CERT has put out an advisory detailing specific products subject to the vulnerability. ®