Slashdot Mirror

← Back to Stories (view on slashdot.org)

Private Key Found Embedded In Major SCADA Equipment

Posted by Soulskill on from the you-didn't-think-this-through dept.

sl4shd0rk writes "RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key (PDF). Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."

7 of 105 comments (clear)

  1. Rule One by ColdWetDog · · Score: 5, Funny

    Never, ever, name any software "Rugged".

    You're just asking for it.

    --
    Faster! Faster! Faster would be better!
    1. Re:Rule One by SnoopJeDi · · Score: 5, Funny

      Is that why there are so many hookers named Chastity?

  2. Not a surprise by jandrese · · Score: 5, Informative

    The embedded controller market is a market full of devices programmed by hardware engineers, not by security professionals. They don't open up their systems for peer review and thus security flaws make it into the final product. There is definitely a sense of security through obscurity with those products, and it almost works except that the internet makes it too easy to broadcast information to the world.

    At least now they know that their system is insecure, instead of having it come as a complete surprise when some attacker exploits the weakness to cause some sort of disaster.

    --

    I read the internet for the articles.
  3. Of course it has a private key by Anonymous Coward · · Score: 5, Insightful

    That part isn't the story. The story is the fact that they all have the same one. That part is insanity. Without key lifecycle management, including creation, distribution, and revocation, you might as well not use asymmetric encryption at all.

  4. "If the claims are valid..." by Jane+Q.+Public · · Score: 5, Informative
    Um..... since, according to the document,

    "The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc."

    I strongly suspect that the claims are valid.

  5. Re:Simens is suicidal by fuzzyfuzzyfungus · · Score: 5, Funny

    And all that from a German company.

    Well, to be fair, the alloy chosen, the temper, and tooling tolerances, on the shared private key were damn beautiful...

  6. Well... Surprise! Surprise! Surprise! by gestalt_n_pepper · · Score: 5, Interesting

    And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer? Takers? Any takers on that action?

    Note to Siemens and the US military: You are not magically protected from software sabotage, particularly when you farm out your software production overseas.

    --
    Please do not read this sig. Thank you.