Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor In RuggedOS Systems: Infrastructure, Military Systems Vulnerable

Posted by Unknown on from the steal-me-up-some-electricity dept.

FhnuZoag writes "A backdoor has been found in Canadian based RuggedCom's 'Rugged Operating System', providing easy access to anyone with the devices's MAC address — something often publically displayed. Rugged OS is being used in a wide range of applications, including traffic control, power generation, and even U.S. Navy bases. The backdoor was first found over a year ago, and RuggedCom have so far refused to patch out the exploit." The exploit is trivial: each device has a permanent "factory" user, and an automatically generated password derived from the MAC.

12 of 154 comments (clear)

  1. exploit by vlm · · Score: 5, Insightful

    Looks like to exploit this, you need the MAC addrs.
    1) One way is to be on the same LAN segment and watch a sniffer. This means you're already dead because you've lost physical security.
    2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?
    3) If you manage to somehow own a plain ole PC on a scada network, now you can own embedded control devices. But having an owned PC on your network means you're dead anyway.

    I'm still struggling to figure out how a live, well run network could be in danger. What I mean is to implement this exploit takes a system that is already more screwed up than anything you could do with the exploit.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:exploit by Guppy06 · · Score: 5, Insightful

      4) brute force the password, knowing that only 3 bytes are unique to the device.

    2. Re:exploit by Zocalo · · Score: 4, Insightful

      Also, don't forget that the first couple of those bytes are specific to a vendor, and in RuggedCom's case those would be "000ADC". So that leaves only 2^24 possible MACs from which to generate passwords to try, a search space which could then be further reduced by the need to be able to actually type the password in.

      Barring rate limiting, or other protection mechanisms (unlikely on a SCADA device) I'd estimate that a brute force attack on a 100mb/s link is going to be done and dusted in a matter of minutes rather than hours or days.

      --
      UNIX? They're not even circumcised! Savages!
  2. Especially things with factory supplied backdoor by perpenso · · Score: 4, Insightful

    Nothing is 100% secure. Nothing. At. All.

    Especially those things with a factory supplied backdoor. Regardless of the complexity of the password, regardless of how the marketing guys try to spin it as a "maintenance portal" or whatever they are calling it (assuming of course customers knew it was there), such a thing is essentially a backdoor.

    Hopefully this was something that customers were aware of and something that customers could disable. Or more optimistically a debugging feature customers would have to enable for a session while in direct communication with the factory. Even so a hypothetically generate-able password is troubling.

  3. Engineers overlooking the obvious design by Anonymous Coward · · Score: 4, Insightful

    The obvious correct hardware design was a simple switch (on the device) that allows usage of a default password. That way, you ensure both that you can put maintenance to the device in the future, whilst maintaining daily security.

    1. Re:Engineers overlooking the obvious design by h4rr4r · · Score: 5, Insightful

      Also when the switch is flipped it should not perform its normal work.

      That way it cannot be left in that mode.

  4. Re:Nothing is 100% secure. by cpu6502 · · Score: 4, Insightful

    >>>the failure to address it.

    I suppose this is why OSS advocates claim closed-source is bad? You can't fix the problem yourself, and if the company refuses to do it, then you're stuck.

    --
    My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
  5. Re:Nothing is 100% secure. by gstoddart · · Score: 4, Insightful

    I think you're giving them far too much credit.

    A password generated using an externally visible attribute of the device is pure incompetence and making stupid decisions.

    This isn't about Beardo going away and losing the password, it's about someone making one of those shockingly stupid decisions about convenience over security which leads to security through obscurity.

    As TFS says, this is bordering on a trivial exploit since you can likely hack any and all devices running this OS merely by figuring out its MAC address.

    What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

    This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.

    --
    Lost at C:>. Found at C.
  6. Re:Nothing is 100% secure. by splatter · · Score: 3, Insightful

    Never bet on a pool game against anyone named after a state.

    --
    "(I) have this unfortunate condition that causes me not to believe a single thing any politician says when a mic's on.
  7. Re:Nothing is 100% secure. by H0p313ss · · Score: 5, Insightful

    Never get involved in a software project where the team leader says either "agile" or "scrum" in every second sentence.

    --
    XML is a known as a key material required to create SMD: Software of Mass Destruction
  8. Re:Nothing is 100% secure. by Beardo+the+Bearded · · Score: 3, Insightful

    Right, which means anyone with a pair of overalls can change the light controller.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  9. Re:Nothing is 100% secure. by DarwinSurvivor · · Score: 3, Insightful

    Once you have physical acccess, it's game over.