Slashdot Mirror

← Back to Stories (view on slashdot.org)

Private Key Found Embedded In Major SCADA Equipment

Posted by Soulskill on from the you-didn't-think-this-through dept.

sl4shd0rk writes "RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key (PDF). Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."

5 of 105 comments (clear)

  1. Not a surprise by jandrese · · Score: 5, Informative

    The embedded controller market is a market full of devices programmed by hardware engineers, not by security professionals. They don't open up their systems for peer review and thus security flaws make it into the final product. There is definitely a sense of security through obscurity with those products, and it almost works except that the internet makes it too easy to broadcast information to the world.

    At least now they know that their system is insecure, instead of having it come as a complete surprise when some attacker exploits the weakness to cause some sort of disaster.

    --

    I read the internet for the articles.
  2. "If the claims are valid..." by Jane+Q.+Public · · Score: 5, Informative
    Um..... since, according to the document,

    "The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc."

    I strongly suspect that the claims are valid.

  3. Idiot Certificate Authorities by Anonymous Coward · · Score: 2, Informative

    I lay blame at the CA's, I've spoken to two CA's about using certificates in Embedded devices using lots of low cost subdomains guid.domain.com Both recommended that I just use a wildcard certificate.

  4. Re:what goes around comes around by FhnuZoag · · Score: 4, Informative

    There is no involvement of the Chinese in this story at all. The original company that created RuggedOS is Canadian. Who the heck modded the parent +5 Insightful?

  5. Re:Newbie question by dlgeek · · Score: 3, Informative
    Actually, yes. The most common format for storing RSA keys is PEM and it looks like this (randomly generated key just for this post):

    -----BEGIN RSA PRIVATE KEY-----
    MIIBOQIBAAJBAKLdFpep/qw/SIf/wsO4T17GnttlhLjLrVCfM9p4D2gnnz3OiO45
    Xw1wonFOPR0D9ewAIi4yAhcMFXc2jyw3GbMCAwEAAQJAJV7R1k89jsyemgZH7J0Y
    KUkuHm22/KhPxpYhUdoGvwEqvuyEFdM6kGuFj5AwMD/R8E9g1JFrQSej1aXCvHM5
    oQIhANE3nxoo1pSLRrPv3/dPkq8l9VYtTcjCkiivbh6XHVa5AiEAx0gCx6DMBiGA
    rxdplBG9pA91lUptz6wQbiMsFsvzfcsCIB1zD+E1yGamaDBh3ovIVqRy2mLkA6Pz
    x3EUqJKDwOx5AiBW7DgaLy8O9YoV1VZ9+YcIip21MrPXQ6we/kR65RceJQIgYDV0
    I5e4ncpwsbz6q+VWjZ3mNaOnNgkxESmtQY4vzQo=
    -----END RSA PRIVATE KEY-----

    The base64 data in the middle is a structure that contains a bunch of numbers. The numbers present in a private key are different (a supserset) of a public key, so even if it's in a format that doesn't have the BEGIN..., by parsing the structure, you can see what's in it. (Try pasting the key block above into the stdin of openssl rsa -noout -text.)