Homebrew crypto SNAFU on electrical grid sees GE rush patches

Boffins turned up hard-coded password in ancient controllers

By Richard Chirgwin


Updated General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack.

The company hasn't published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas).

The three New York University researchers say they cracked the homebrew encryption in the ancient GE Multilin systems. The abstract is light on detail, but it appears the researchers found a hardcoded password: “we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack”.

GE told Reuters the bug is in units dating from the 1990s (a time when, The Register notes, “homebrew” encryption was the norm, rather than known bad practice).

GE's Annette Busateri told Reuters the company is notifying customers and rolling out upgrades for the bug. There's a patch available for five out of the six affected products, she said, with the sixth to land soon.

The protection relays are used to cut off parts of the grid to protect against dangerous conditions.

A remote exploit would demand that the relays are connected to the Internet, with inadequate protection against access.

The researchers, Anastasis Keliris and Charalambos Konstantinou of New York University and Mihalis Maniatakos of NYU in Dubai, say they'll show off an exploit on a feeder management relay – but don't specify that they'll be demonstrating a remote attack.

The Register has contacted GE for comment. ®

Update: America's ICS-CERT has put out an advisory detailing specific products subject to the vulnerability. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Scare Force: Pakistan military hit by Operation Shaheen malware

State-sponsored attack looks to infiltrate nuclear Air Force

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

That Saudi oil and gas plant that got hacked. You'll never guess who could... OK, it's Russia

FireEye reckons it's fingered the miscreants behind nasty cyber-infection at industrial complex

Russia appears to be 'live testing' cyber attacks – Former UK spy boss Robert Hannigan

InfoSec Europe Warns that nation state hacking threatens corporate networks

Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

BSides London How Stuxnet, Shamoon, et al ran riot

Jeez, not now, Iran... Facebook catches Mid East nation running trolly US, UK politics ads

Whack-a-Troll: Ad biz smashes latest manipulation plot to show it's doing... something