Read this story on The Register

Homebrew crypto SNAFU on electrical grid sees GE rush patches

Boffins turned up hard-coded password in ancient controllers

By Richard Chirgwin

Posted in Security, 27th April 2017 01:59 GMT

Updated General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack.

The company hasn't published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas).

The three New York University researchers say they cracked the homebrew encryption in the ancient GE Multilin systems. The abstract is light on detail, but it appears the researchers found a hardcoded password: “we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack”.

GE told Reuters the bug is in units dating from the 1990s (a time when, The Register notes, “homebrew” encryption was the norm, rather than known bad practice).

GE's Annette Busateri told Reuters the company is notifying customers and rolling out upgrades for the bug. There's a patch available for five out of the six affected products, she said, with the sixth to land soon.

The protection relays are used to cut off parts of the grid to protect against dangerous conditions.

A remote exploit would demand that the relays are connected to the Internet, with inadequate protection against access.

The researchers, Anastasis Keliris and Charalambos Konstantinou of New York University and Mihalis Maniatakos of NYU in Dubai, say they'll show off an exploit on a feeder management relay – but don't specify that they'll be demonstrating a remote attack.

The Register has contacted GE for comment. ®

Update: America's ICS-CERT has put out an advisory detailing specific products subject to the vulnerability. ®

Sign up to our NewsletterGet IT in your inbox daily

14 Comments

More from The Register

Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

SCADA malware caught infecting European energy company

'Nation-state' fingered

SBU claims Russia was behind NotPetya

So does ESET, which reckons the malware spread better than its authors expected

Russia, America dig into tug-of-war over Bitcoin laundering suspect

We want him! No, he's ours! Shut up!

To Russia, with love: Greek court now says Bitcoin fraud suspect could be tried at home

US and Moscow both want to extradite Alexander Vinnik, 38, but minister of justice will decide

Russia to block access to cryptocurrency exchanges' websites – report

Updated Central bank deputy governor calls them 'dubious'

Russia tweaks Telegram with tiny fine for decryption denial

FSB wanted keys, messaging outfit said Nyet

Politics is going digital, but guns and money still pack a punch

Reg Lectures If you’re looking for power, you probably haven’t got any

Crumbs! Crunchyroll distributed malware for a couple of hours

Anime-streamer is fine again, and disinfection is easy

Move over, Stuxnet: Industroyer malware linked to Kiev blackouts

Modular nasty can seize direct control of substation switches and circuit breakers