Homebrew crypto SNAFU on electrical grid sees GE rush patches

Boffins turned up hard-coded password in ancient controllers

By Richard Chirgwin

Posted in Security, 27th April 2017 01:59 GMT

Updated General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack.

The company hasn't published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas).

The three New York University researchers say they cracked the homebrew encryption in the ancient GE Multilin systems. The abstract is light on detail, but it appears the researchers found a hardcoded password: “we completely broke the home brew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations. Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack”.

GE told Reuters the bug is in units dating from the 1990s (a time when, The Register notes, “homebrew” encryption was the norm, rather than known bad practice).

GE's Annette Busateri told Reuters the company is notifying customers and rolling out upgrades for the bug. There's a patch available for five out of the six affected products, she said, with the sixth to land soon.

The protection relays are used to cut off parts of the grid to protect against dangerous conditions.

A remote exploit would demand that the relays are connected to the Internet, with inadequate protection against access.

The researchers, Anastasis Keliris and Charalambos Konstantinou of New York University and Mihalis Maniatakos of NYU in Dubai, say they'll show off an exploit on a feeder management relay – but don't specify that they'll be demonstrating a remote attack.

The Register has contacted GE for comment. ®

Update: America's ICS-CERT has put out an advisory detailing specific products subject to the vulnerability. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Security firm clarifies power-station 'SCADA' malware claim

It's not the next Stuxnet, says SentinelOne, it's just very naughty code

SCADA malware caught infecting European energy company

'Nation-state' fingered

UK names Russia as source of NotPetya, USA follows suit

Updated 'Almost certain' assessment enough for official blast from Foreign Office

Ex-GCHQ boss: All the ways to go after Russia. Why pick cyberwar?

Adds his 2 cents as PM, security council meet about Salisbury poisoning

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

SBU claims Russia was behind NotPetya

So does ESET, which reckons the malware spread better than its authors expected

GCHQ boss calls out Russia for 'industrial scale disinformation'

Kremlin 'blurring boundaries between criminal and state activity' – director

We're Putin our foot down! DHS, FBI blame Russia for ongoing infrastructure hacks

Alert adds detail to 'Dragonfly' cyber-attack disclosed last year

Why bother cracking PCs? Spot o' malware on PLCs... Done. Industrial control network pwned

Jumping the air gap

Russia, America dig into tug-of-war over Bitcoin laundering suspect

We want him! No, he's ours! Shut up!