Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor In RuggedOS Systems: Infrastructure, Military Systems Vulnerable

Posted by Unknown on from the steal-me-up-some-electricity dept.

FhnuZoag writes "A backdoor has been found in Canadian based RuggedCom's 'Rugged Operating System', providing easy access to anyone with the devices's MAC address — something often publically displayed. Rugged OS is being used in a wide range of applications, including traffic control, power generation, and even U.S. Navy bases. The backdoor was first found over a year ago, and RuggedCom have so far refused to patch out the exploit." The exploit is trivial: each device has a permanent "factory" user, and an automatically generated password derived from the MAC.

7 of 154 comments (clear)

  1. STUPID by GameboyRMH · · Score: 2, Informative

    Unchangeable default password = MEGAFAIL

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Re:Nothing is 100% secure. by yoyoq · · Score: 5, Informative

    never get involved in a land war in Asia Never go against a Sicilian when death is on the line

  3. Re:exploit by idontgno · · Score: 5, Informative

    It really isn't 6 bytes either. Since RuggedCom has two registered MAC OUIs (grep for "RuggedCom"), it's only 24 bits to brute-force over two possible 3-byte manufacturer prefixes.

    Yeah. Fail-flavored failure-stuffed failure topped with fail gravy.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  4. Re:Nothing is 100% secure. by Beardo+the+Bearded · · Score: 4, Informative

    Okay, this feature has its use. Let's say Beardo works for the city for 15 years and puts a password on all the light controllers. That's only sane, right? You don't want some asshole changing the light pattern so they get a green light every morning at 7:43 when they're on their way to work or disabling the first-responder receiver.

    Let's also assume that Beardo got passed over for a raise AGAIN and decided, "okay, that's it, I'm leaving." Five years later they have to change the timing for some reason, let's say more traffic at the intersection or something, and Beardo is nowhere to be found. He's got a new job in Bermuda and you'll never hear from him again. (I actually did have a co-worker get a job in Bermuda and to this day I am unable to determine if he is alive or dead.)

    Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

    You've got to either find the password or send the unit back to the factory to get it reset to the blank factory default (automation direct will do this) People forget passwords. I'm sure once we switch to biometrics people will forget their thumbs or something.

    HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of wetwork. Well, then I guess the exploit then becomes "anyone with $175 to buy a NRD-1298 from Rugged can run a Perl script". Even if there was a master password list in the factory then someone could break in or bribe their way into the system. Maybe this password should only work on a direct link like the serial port.

    What I guess the company could have done is add the PO number or customer number to the MAC address and then use a more robust password generator to figure it out. I'm not entirely sure what they could do to make it a secure way of getting into your legitimately owned, but inadvertently locked, machine.

    Hell, if you get two keys for a master-locked system you can narrow down the master key to one of 17 possibilities. We don't go around telling people that their doors aren't going to work.

    Also, I hate to mention this, but I've said it before, the military uses weaponry to enforce their system security. If you're sitting on a rowboat with a parabolic dish, the frigate is going to shoot bullets at you.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  5. Re:Not an issue at all by Anonymous Coward · · Score: 2, Informative

    Look up the term "defense in depth." You do not stop at establishing perimeter security, an appropriate security architecture involves many layers of security thus ensuring you aren't screwed if someone decides to install a DSL line in the plant. Or a cellular modem connected to the serial port of this device in an electric substation. Or in case Bob the IT genius decides to punch a telnet hole through the firewall to make remote admin easier.

  6. Re:exploit by X0563511 · · Score: 3, Informative

    Cain and Abel can do an ARP sweep for every possible MAC on a 10mbps link in a handful of minutes.

    That number isn't as large as you think it is.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  7. Re:Nothing is 100% secure. by Ihmhi · · Score: 3, Informative

    wetwork

    Is this some sort of computer security term? "Wetwork" is slang for "murder" in the espionage world.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)