Slashdot Mirror

← Back to Stories (view on slashdot.org)

Private Key Found Embedded In Major SCADA Equipment

Posted by Soulskill on from the you-didn't-think-this-through dept.

sl4shd0rk writes "RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key (PDF). Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."

12 of 105 comments (clear)

  1. Rule One by ColdWetDog · · Score: 5, Funny

    Never, ever, name any software "Rugged".

    You're just asking for it.

    --
    Faster! Faster! Faster would be better!
    1. Re:Rule One by SnoopJeDi · · Score: 5, Funny

      Is that why there are so many hookers named Chastity?

    2. Re:Rule One by Spritzer · · Score: 4, Insightful

      The proper term is "Erotic Interaction Specialist" and the name is all part of the experience that you're paying for.

  2. Not a surprise by jandrese · · Score: 5, Informative

    The embedded controller market is a market full of devices programmed by hardware engineers, not by security professionals. They don't open up their systems for peer review and thus security flaws make it into the final product. There is definitely a sense of security through obscurity with those products, and it almost works except that the internet makes it too easy to broadcast information to the world.

    At least now they know that their system is insecure, instead of having it come as a complete surprise when some attacker exploits the weakness to cause some sort of disaster.

    --

    I read the internet for the articles.
    1. Re:Not a surprise by FhnuZoag · · Score: 4, Interesting

      RuggedOS was a recent acquisition by Seimens from a Canadian firm, who had various security worries before its sale, but took care to suppress such news to preserve its valuation. It's doubtful there's any German government involvement. What actually seems to have happened is that the RuggedOS was just a huge turd of a product, which its new owners are slowly coming to discover.

  3. Of course it has a private key by Anonymous Coward · · Score: 5, Insightful

    That part isn't the story. The story is the fact that they all have the same one. That part is insanity. Without key lifecycle management, including creation, distribution, and revocation, you might as well not use asymmetric encryption at all.

  4. "If the claims are valid..." by Jane+Q.+Public · · Score: 5, Informative
    Um..... since, according to the document,

    "The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc."

    I strongly suspect that the claims are valid.

  5. Re:Simens is suicidal by fuzzyfuzzyfungus · · Score: 5, Funny

    And all that from a German company.

    Well, to be fair, the alloy chosen, the temper, and tooling tolerances, on the shared private key were damn beautiful...

  6. Well... Surprise! Surprise! Surprise! by gestalt_n_pepper · · Score: 5, Interesting

    And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer? Takers? Any takers on that action?

    Note to Siemens and the US military: You are not magically protected from software sabotage, particularly when you farm out your software production overseas.

    --
    Please do not read this sig. Thank you.
    1. Re:Well... Surprise! Surprise! Surprise! by CanHasDIY · · Score: 4, Insightful

      And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer?

      Meh; gross incompetence is far more likely, considering history...

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    2. Re:Well... Surprise! Surprise! Surprise! by FhnuZoag · · Score: 4, Interesting

      We're talking about a Canadian company who, when confronted with the backdoor earlier this year, refused to fix it. So it's safe to say that the company just doesn't care about security. Check you sinophobia at the door, please.

  7. Re:what goes around comes around by FhnuZoag · · Score: 4, Informative

    There is no involvement of the Chinese in this story at all. The original company that created RuggedOS is Canadian. Who the heck modded the parent +5 Insightful?