Slashdot Mirror

← Back to Stories (view on slashdot.org)

Private Key Found Embedded In Major SCADA Equipment

Posted by Soulskill on from the you-didn't-think-this-through dept.

sl4shd0rk writes "RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key (PDF). Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."

29 of 105 comments (clear)

  1. Rule One by ColdWetDog · · Score: 5, Funny

    Never, ever, name any software "Rugged".

    You're just asking for it.

    --
    Faster! Faster! Faster would be better!
    1. Re:Rule One by SnoopJeDi · · Score: 5, Funny

      Is that why there are so many hookers named Chastity?

    2. Re:Rule One by torjeh · · Score: 2

      At least not as bad as Oracle's "Unbreakable Enterprise Kernel", IMHO.

    3. Re:Rule One by Spritzer · · Score: 4, Insightful

      The proper term is "Erotic Interaction Specialist" and the name is all part of the experience that you're paying for.

    4. Re:Rule One by Anonymous Coward · · Score: 2, Interesting

      I couldn't help but notice that one of the players on the U.S. women's volleyball Olympic team was named "Destiny Hooker." I don't know what her parents had in mind for her, but she is a hell of a volleyball player.

    5. Re:Rule One by SuspectNumber3 · · Score: 2

      And that all of their customers are named John ?

  2. Not a surprise by jandrese · · Score: 5, Informative

    The embedded controller market is a market full of devices programmed by hardware engineers, not by security professionals. They don't open up their systems for peer review and thus security flaws make it into the final product. There is definitely a sense of security through obscurity with those products, and it almost works except that the internet makes it too easy to broadcast information to the world.

    At least now they know that their system is insecure, instead of having it come as a complete surprise when some attacker exploits the weakness to cause some sort of disaster.

    --

    I read the internet for the articles.
    1. Re:Not a surprise by Darinbob · · Score: 2

      There can be problems trying to get a lot of security into embedded products. There is resistance from management at times because it slows down the release. If the customers aren't demanding it then it's an extra expense without income. Plus good security is always inconvenient by its nature. The more convenient you make something the less secure it becomes. Customers want to just plug in a device and have it work, they want to do upgrades without any hassles, etc.

      Then having security gets in the way of the developers. A secure device can't be debugged as easily, you can't sniff the network traffic, you're always having to figure out a way around security just to get the job done. Often you get special developer boards without security, but sometimes there's the temptation to stick in back doors. The person putting in the back door may not understand all about security and think it could be secure just to check the state of a pin; incorrectly assuming that this information would never leave the company, that no one is ever going to scrape off the potting material, that customers would lack technical ability to attach a probe to test point, etc.

    2. Re:Not a surprise by lintmint · · Score: 2

      Lame excuse.
      If you're a professional engineer tasked with utilizing private / public key encryption you should have known enough to secure the private key.
      If you didn't know better your incompetent, if you did know better your as negligent as the management team that let it happen.

    3. Re:Not a surprise by FhnuZoag · · Score: 4, Interesting

      RuggedOS was a recent acquisition by Seimens from a Canadian firm, who had various security worries before its sale, but took care to suppress such news to preserve its valuation. It's doubtful there's any German government involvement. What actually seems to have happened is that the RuggedOS was just a huge turd of a product, which its new owners are slowly coming to discover.

    4. Re:Not a surprise by jandrese · · Score: 2

      But they got the product out the door on time and on budget and it's not hard for the customer to use, so everybody is happy. At least for a few years until the blatant security vulnerabilities are published.

      --

      I read the internet for the articles.
    5. Re:Not a surprise by LordLimecat · · Score: 2

      Theres TONS of regulation at the top, its just that big companies are super good at dealing with it.

      Asking for MORE regulation just helps to kill the competition you seem to be implying is needed.

  3. Of course it has a private key by Anonymous Coward · · Score: 5, Insightful

    That part isn't the story. The story is the fact that they all have the same one. That part is insanity. Without key lifecycle management, including creation, distribution, and revocation, you might as well not use asymmetric encryption at all.

    1. Re:Of course it has a private key by hlavac · · Score: 2

      Having a single key sure simplifies the NSA backdoor management though. Taxpayers are saving money here!

  4. WiDOT by starblazer · · Score: 2

    Hooray! We're all doomed... DOOOOOOOOOOOOOOOOOMED.

    Wait, what does the WiDOT have that's SCADA that would end the world? I think the worst that would happen is that the times on the billboards above 41 would be wrong... or warn us of zombies ahead.

    1. Re:WiDOT by Antipater · · Score: 2

      Traffic light overrides?

      --
      Everything is better with chainsaws.
    2. Re:WiDOT by starblazer · · Score: 2

      They put those gates up because they want to be able to shut the highway down when some FIB decides that 90 was a great speed and rolls his lexus eight times over and causes a semi to jack knife and roll.

      In my neck of the woods, the only thing that's automatic about these gates are the lights. You still have to dispatch an officer to the gate to crank it down. Once its down, the officer can relieve himself to do other tasks if the closure is going to be long-term. The alternative is to keep an expensive officer posted at every on-ramp to prevent people from getting on the highway compounding the issue.

  5. Do I even want to know? by fuzzyfuzzyfungus · · Score: 3, Insightful

    What possible reason would there be to have a shared private key among all devices? Even if there is some (weird, and probably not a good idea) requirement that it be identical across an entire user site, that should be part of a programming/keyfill process. If uniqueness is good, it should just generate a key on first boot...

  6. "If the claims are valid..." by Jane+Q.+Public · · Score: 5, Informative
    Um..... since, according to the document,

    "The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc."

    I strongly suspect that the claims are valid.

  7. Re:Simens is suicidal by fuzzyfuzzyfungus · · Score: 5, Funny

    And all that from a German company.

    Well, to be fair, the alloy chosen, the temper, and tooling tolerances, on the shared private key were damn beautiful...

  8. Well... Surprise! Surprise! Surprise! by gestalt_n_pepper · · Score: 5, Interesting

    And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer? Takers? Any takers on that action?

    Note to Siemens and the US military: You are not magically protected from software sabotage, particularly when you farm out your software production overseas.

    --
    Please do not read this sig. Thank you.
    1. Re:Well... Surprise! Surprise! Surprise! by CanHasDIY · · Score: 4, Insightful

      And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer?

      Meh; gross incompetence is far more likely, considering history...

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    2. Re:Well... Surprise! Surprise! Surprise! by FhnuZoag · · Score: 4, Interesting

      We're talking about a Canadian company who, when confronted with the backdoor earlier this year, refused to fix it. So it's safe to say that the company just doesn't care about security. Check you sinophobia at the door, please.

  9. No problem by aaaaaaargh! · · Score: 3, Insightful

    For a few million dollars Siemens will quickly patch it.

  10. Idiot Certificate Authorities by Anonymous Coward · · Score: 2, Informative

    I lay blame at the CA's, I've spoken to two CA's about using certificates in Embedded devices using lots of low cost subdomains guid.domain.com Both recommended that I just use a wildcard certificate.

  11. Re:what goes around comes around by FhnuZoag · · Score: 4, Informative

    There is no involvement of the Chinese in this story at all. The original company that created RuggedOS is Canadian. Who the heck modded the parent +5 Insightful?

  12. anything that connects to commodity stuff is evil by swschrad · · Score: 2

    you cannot have security if you have random connections... walkabout machines, removeable media that can be read by office and home machines, modem connections, most evil The Connected Internet... that permit a cross of the security barrier.

    there has to be an airgap, and the secure stuff stays inside the secure area, and the other world(s) can't get in there.

    otherwise, you are open to attack, and eventually will be attacked.

    amazing how damn lazy everybody has gotten. I learned this in the 70s.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?
  13. Re:what goes around comes around by fuzzyfuzzyfungus · · Score: 3, Funny

    Are you saying that Snow Mexicans are behind this threat?

  14. Re:Newbie question by dlgeek · · Score: 3, Informative
    Actually, yes. The most common format for storing RSA keys is PEM and it looks like this (randomly generated key just for this post):

    -----BEGIN RSA PRIVATE KEY-----
    MIIBOQIBAAJBAKLdFpep/qw/SIf/wsO4T17GnttlhLjLrVCfM9p4D2gnnz3OiO45
    Xw1wonFOPR0D9ewAIi4yAhcMFXc2jyw3GbMCAwEAAQJAJV7R1k89jsyemgZH7J0Y
    KUkuHm22/KhPxpYhUdoGvwEqvuyEFdM6kGuFj5AwMD/R8E9g1JFrQSej1aXCvHM5
    oQIhANE3nxoo1pSLRrPv3/dPkq8l9VYtTcjCkiivbh6XHVa5AiEAx0gCx6DMBiGA
    rxdplBG9pA91lUptz6wQbiMsFsvzfcsCIB1zD+E1yGamaDBh3ovIVqRy2mLkA6Pz
    x3EUqJKDwOx5AiBW7DgaLy8O9YoV1VZ9+YcIip21MrPXQ6we/kR65RceJQIgYDV0
    I5e4ncpwsbz6q+VWjZ3mNaOnNgkxESmtQY4vzQo=
    -----END RSA PRIVATE KEY-----

    The base64 data in the middle is a structure that contains a bunch of numbers. The numbers present in a private key are different (a supserset) of a public key, so even if it's in a format that doesn't have the BEGIN..., by parsing the structure, you can see what's in it. (Try pasting the key block above into the stdin of openssl rsa -noout -text.)