Slashdot Mirror
Backdoor In RuggedOS Systems: Infrastructure, Military Systems Vulnerable
FhnuZoag writes "A backdoor has been found in Canadian based RuggedCom's 'Rugged Operating System', providing easy access to anyone with the devices's MAC address — something often publically displayed. Rugged OS is being used in a wide range of applications, including traffic control, power generation, and even U.S. Navy bases. The backdoor was first found over a year ago, and RuggedCom have so far refused to patch out the exploit."
The exploit is trivial: each device has a permanent "factory" user, and an automatically generated password derived from the MAC.
There's a difference between "Nothing is 100% secure" and "Why yes sir, I will lay out the welcoming mat for you".
Unchangeable default password = MEGAFAIL
"When information is power, privacy is freedom" - Jah-Wren Ryel
You are correct. The issue isn't how easy it is to exploit, but rather how easy it would have been to not have this "feature", and the failure to address it.
Tequila: It's not just for breakfast anymore!
What's this JC CREW organization that supposedly discovered this backdoor? Is it a corporation? group of hackers? single individual? in the US? International?
i went to their site at www.jccrew.org and it's just a picture of a burned out car. I don't get it. This is huge, but I can't find anything about the research person or organization.
Never play cards with a man called Doc. Never eat at a place called Mom's. Never sleep with a woman whose troubles are worse than your own.
Never trust an OS with the 'Rugged' in it's name.
Faster! Faster! Faster would be better!
Using this device would mean you would fail PCI-DSS and probably a few other widely used standards (ISO-27001 for example). One of the first requirements in these standards is that default vendor passwords be changed. You can't change it or even disable it.
Oolite: Elite-like game. For Mac, Linux and Windows
RuggedCom have so far refused to patch out the exploit.
Perhaps when Siemens moves in new management, the problem will be fixed. After having the egg of Stuxnet on their face, they might be a bit more proactive about these sorts of things.
Have gnu, will travel.
Looks like to exploit this, you need the MAC addrs.
1) One way is to be on the same LAN segment and watch a sniffer. This means you're already dead because you've lost physical security.
2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?
3) If you manage to somehow own a plain ole PC on a scada network, now you can own embedded control devices. But having an owned PC on your network means you're dead anyway.
I'm still struggling to figure out how a live, well run network could be in danger. What I mean is to implement this exploit takes a system that is already more screwed up than anything you could do with the exploit.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Does this mean that there will now be another set of noise with script kiddies trying to create automated scanners to locate these devices, thus adding more junk for me to look through in the logs?
--
Time is on my side
Nothing is 100% secure. Nothing. At. All.
Especially those things with a factory supplied backdoor. Regardless of the complexity of the password, regardless of how the marketing guys try to spin it as a "maintenance portal" or whatever they are calling it (assuming of course customers knew it was there), such a thing is essentially a backdoor.
Hopefully this was something that customers were aware of and something that customers could disable. Or more optimistically a debugging feature customers would have to enable for a session while in direct communication with the factory. Even so a hypothetically generate-able password is troubling.
It is a device for industrial manufacturing. In the past the terminals and switches were accessible to anybody allowed into that area. It is an access problem. The network in a manufacturing plant should be inaccessible from outside. Why is that even news?
hfoo
I think they sell clothing - JCrew has lots on their website. :-)
We'll already be fully aware who our biggest enemy is: big business.
I'm certain the inevitable legislation to come from this will fairly and accurately reflect that fact...
An enigma, wrapped in a riddle, shrouded in bacon and cheese
The obvious correct hardware design was a simple switch (on the device) that allows usage of a default password. That way, you ensure both that you can put maintenance to the device in the future, whilst maintaining daily security.
>>>the failure to address it.
I suppose this is why OSS advocates claim closed-source is bad? You can't fix the problem yourself, and if the company refuses to do it, then you're stuck.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
never get involved in a land war in Asia Never go against a Sicilian when death is on the line
Okay, this feature has its use. Let's say Beardo works for the city for 15 years and puts a password on all the light controllers. That's only sane, right? You don't want some asshole changing the light pattern so they get a green light every morning at 7:43 when they're on their way to work or disabling the first-responder receiver.
Let's also assume that Beardo got passed over for a raise AGAIN and decided, "okay, that's it, I'm leaving." Five years later they have to change the timing for some reason, let's say more traffic at the intersection or something, and Beardo is nowhere to be found. He's got a new job in Bermuda and you'll never hear from him again. (I actually did have a co-worker get a job in Bermuda and to this day I am unable to determine if he is alive or dead.)
Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."
You've got to either find the password or send the unit back to the factory to get it reset to the blank factory default (automation direct will do this) People forget passwords. I'm sure once we switch to biometrics people will forget their thumbs or something.
HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of wetwork. Well, then I guess the exploit then becomes "anyone with $175 to buy a NRD-1298 from Rugged can run a Perl script". Even if there was a master password list in the factory then someone could break in or bribe their way into the system. Maybe this password should only work on a direct link like the serial port.
What I guess the company could have done is add the PO number or customer number to the MAC address and then use a more robust password generator to figure it out. I'm not entirely sure what they could do to make it a secure way of getting into your legitimately owned, but inadvertently locked, machine.
Hell, if you get two keys for a master-locked system you can narrow down the master key to one of 17 possibilities. We don't go around telling people that their doors aren't going to work.
Also, I hate to mention this, but I've said it before, the military uses weaponry to enforce their system security. If you're sitting on a rowboat with a parabolic dish, the frigate is going to shoot bullets at you.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Nice over-architected solution. Sorry you took so long to type out such an insanely complex impossible to implement solution. Maybe RuggedCom has a job for you!
Alternate option: Simply make a bootrom option such that someone at the console during a power cycle can bypass the authentication. Cisco implemented this. It's not hard. No magic calculations, PO numbers, customer numbers.
http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml
It means "covered with carpet", right?
I think you're giving them far too much credit.
A password generated using an externally visible attribute of the device is pure incompetence and making stupid decisions.
This isn't about Beardo going away and losing the password, it's about someone making one of those shockingly stupid decisions about convenience over security which leads to security through obscurity.
As TFS says, this is bordering on a trivial exploit since you can likely hack any and all devices running this OS merely by figuring out its MAC address.
This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.
Lost at C:>. Found at C.
Oh, he's not alive. He's not dead either. He went for a boat ride and he's just.... gone.
Hmmm....I happen to have some iocane here....care to partake in a battle of wits?
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Never bet on a pool game against anyone named after a state.
"(I) have this unfortunate condition that causes me not to believe a single thing any politician says when a mic's on.
HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of network.
Or, you could do what every $35 Internet router in the history of Best Buy does: put a little 5-cent button on the back of the device that restores its default settings (or bypasses the password check, or whatever).
I don't care if it's 90,000 hectares. That lake was not my doing.
It was supposed to be RiggedOS.
My other car is a 1984 Nark Avenger.
Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."
Why on earth would he set the password to 8675309? That's just silly.
Never get involved in a software project where the team leader says either "agile" or "scrum" in every second sentence.
XML is a known as a key material required to create SMD: Software of Mass Destruction
Yup, but it's /marketed/ as "mission critical".
Just saying that if you're /buying/ "mission critical" kit, then you're the moron for not having thorough standards it must meet, that includes a method of proving it does meet these.
This was outsourcing responsibility. This is buying a warranty, buying an insurance package you'll have to go to court to attempt to collect.
If you're outsourcing a "mission critical" aspect of your business, then you're not in that business. Then you're just a middleman.
Right, which means anyone with a pair of overalls can change the light controller.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Nothing. At. All.
Absolutely correct, but building in a back door with a password easily derived is almost, but not quite, entirely unlike security.
This makes me wonder how many other OS variants used in control systems have "factory" users built in.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Cue the platitudes that could be generically posted into half the articles on /. without reference to the article supposedly being commented on.
Oh, I see you're way ahead of me. Carry on...
"Convictions are more dangerous enemies of truth than lies."
That's all well and good... But maybe instead of using an back door account that is easily derived from the MAC address, they should have installed a public key?
This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.
Two guys, a pickup truck, and a box of grenades can do roughly a Billion dollars of damage an hour in the greater Houston area, just hand tossing from public highways. There's a lot of trust in the world...what's moronic is trusting that any kind of password lock access on a computer system is "secure" from the bad guys. If a password is typed in, a telephoto high def video camera can snag it from across the street or Beardo the Disgruntled can give it to a bad guy as a prank.
Yeah, o.k., the MAC address as password scheme is a little more lame than some and should be stopped, but don't think that ANY password based scheme is really secure from a determined attacker.
wetwork
Is this some sort of computer security term? "Wetwork" is slang for "murder" in the espionage world.
Random Thoughts From A Diseased Mind (Not For Dummies)
And here I thought that was a normal Friday night in Texas. ;-)
Lost at C:>. Found at C.
Solder in a jumper or resistor.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Never play 3D chess with a Wookie.
Not so sure on that. I won a lot of money off of a guy named Vermont Average Build.
4) brute force the password, knowing that only 3 bytes are unique to the device.
You don't have to guess. The password is computable from the MAC address using this short Perl program.
The factory password is, literally, "factory". It cannot be disabled and its password cannot be changed.
Someone should go to jail for this. It may fall under criminal negligence, sabotage, or even providing material aid to terrorists.
Never say never
There's a difference between "Nothing is 100% secure" and "Why yes sir, I will lay out the welcoming mat for you".
Indeed. But the concept of "degree" is something beyond quite a few people. For them it is always black and white. Stupid really, but widespread. If the world were black and white, there would be zero point in risk management. Instead it is one of the most important supporting disciplines for technology. And one quite a few people do not get at all.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Ah, thanks! Now if I ever meet an electrical engineer who is also a spy, I can humorously confuse him!
Random Thoughts From A Diseased Mind (Not For Dummies)
Once you have physical acccess, it's game over.
Have the master password database at the manufacturer strongly encrypted, then have the password for that database on a couple of smartcards (one for use in recovery, one held elsewhere as a backup in case the first is rendered unusable). The database is only at risk if the smartcard's contents are intercepted by malware on that machine, up to (but not beyond) the point where the database is re-encrypted under a new key. If the machine is properly secured, the risk of this is close to zero.
OR
Have the master password database at the manufacturer off the corporate network. Passwords must be transferred physically from the master password computer to a networked machine in order to be used. Only the keys being used at that instant are ever at risk, the rest of the database is invisible. If the machine is properly secured, the risk of intercepting even the one or two keys exposed is close to zero.
OR
Use a one-time password system. You call up the manufacturer by phone, you read the challenge to them and they read you back what to type in to reset the administrator password. Since this changes each time a connection attempt is made, even if the call is intercepted the password is useless as a new socket connection by an intruder would have a different challenge even if created before the operator typed the answer to the challenge in.
The problem is that manufacturers are part of the precipitate rather than part of the solution.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Maybe it IS a feature, so they hate to have to remove that. Don't rumors about NSA backdoors surface every now and then?
Not implementing a likely trivial patch to a gaping security hole hasn't many other credible explanations.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
Never beat off after chopping up scotch bonnet peppers.
-- I ignore anonymous replies to my comments and postings.
This is not quite the same, since you CAN change the passwords on an iLo/riLo or DRAC... the problem is that most people forget or don't. So you thought remote root was unavailable until that dictionary attack is remotely performed against a local console.
It beats a remote exploit. And the necessary reset should raise red flags.
Apparently it's what they sweep the security flaws under.
Never kill my father.