Equipment Maker Caught Installing Backdoor Account in Control System Code

[InfoSec News <alerts () infosecnews org>]

http://www.wired.com/threatlevel/2012/04/ruggedcom-backdoor/

By Kim Zetter
Threat Level
Wired.com
April 25, 2012

A Canadian company that makes equipment and software for critical 
industrial control systems planted a backdoor login account in its 
flagship operating system, according to a security researcher, 
potentially allowing attackers to access the devices online.

The backdoor, which cannot be disabled, is found in all versions of the 
Rugged Operating System made by RuggedCom, according to independent 
researcher Justin W. Clarke, who works in the energy sector. The login 
credentials for the backdoor include a static username, “factory,” that 
was assigned by the vendor and can’t be changed by customers, and a 
dynamically generated password that is based on the individual MAC 
address, or media access control address, for any specific device.

Attackers can uncover the password for a device simply by inserting the 
MAC address, if known, into a simple Perl script that Clarke wrote. MAC 
addresses for some devices can be learned by doing a search with SHODAN, 
a search tool that allows users to find internet-connected devices, such 
as industrial control systems and their components, using simple search 
terms.

Clarke, who is based in San Francisco, says he discovered the backdoor 
after purchasing two used RuggedCom devices -- an RS900 switch and an 
RS400 serial server -- on eBay for less than $100 and examining the 
firmware installed on them.

[...]

_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org