Secret account in mission-critical router opens power plants to tampering

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2012/09/secret-account-in-mission-critical-router-opens-power-plants-to-tampering/

By Dan Goodin
Ars Technica
Sept 4, 2012

The branch of the US Department of Homeland Security that oversees 
critical infrastructure has warned power utilities, railroad operators, 
and other large industrial players of a weakness in a widely used router 
that leaves them open to tampering by untrusted employees.

The line of mission-critical routers manufactured by Fremont, 
California-based GarrettCom contains an undocumented account with a 
default password that gives unprivileged users access to advanced 
options and features, Justin W. Clarke, an expert in the security of 
industrial control systems, told Ars. The "factory account" makes it 
possible for untrusted employees or contractors to significantly 
escalate their privileges and then tamper with electrical switches or 
other industrial controls that are connected to the devices.

GarrettCom boxes are similar to regular network routers and switches 
except that they're designed to withstand extreme heat and cold, as well 
as dry, wet, or dusty conditions. They're also fluent in the Modbus and 
DNP communications protocols used to natively administer industrial 
control and supervisory control and data acquisition gear.

Search results recently returned by the Shodan computer search engine 
showed nine of the vulnerable devices connected to the Internet using 
US-based IP addresses. If the default credentials haven't been changed, 
the undocumented factory account can allow people with guest accounts to 
gain unfettered control of the devices, said Clarke, who is a researcher 
with Cylance, a firm specializing in security of industrial systems.

[...]