From: Ars Technica
The weakness leaves control systems open to tampering by untrusted employees.
by Dan Goodin
The branch of the US Department of Homeland Security that oversees critical infrastructure has warned power utilities, railroad operators, and other large industrial players of a weakness in a widely used router that leaves them open to tampering by untrusted employees.
The line of mission-critical routers manufactured by Fremont, California-based GarrettCom contains an undocumented account with a default password that gives unprivileged users access to advanced options and features, Justin W. Clarke, an expert in the security of industrial control systems, told Ars. The “factory account” makes it possible for untrusted employees or contractors to significantly escalate their privileges and then tamper with electrical switches or other industrial controls that are connected to the devices.
GarrettCom boxes are similar to regular network routers and switches except that they’re designed to withstand extreme heat and cold, as well as dry, wet, or dusty conditions. They’re also fluent in the Modbus and DNP communications protocols used to natively administer industrial control and supervisory control and data acquisition gear.
Search results recently returned by the Shodan computer search engine showed nine of the vulnerable devices connected to the Internet using US-based IP addresses. If the default credentials haven’t been changed, the undocumented factory account can allow people with guest accounts to gain unfettered control of the devices, said Clarke, who is a researcher with Cylance, a firm specializing in security of industrial systems.
“Cylance has identified an unforeseen method whereby a user authenticated as ‘guest’ or ‘operator’ can escalate privileges to the ‘factory’ account,” an advisory published by the company warned. Clarke told Ars he discovered the account after buying a device from eBay for $12 and analyzing the way it worked. Clarke is the same researcher who discovered an undocumented account with a hard-coded password in a similar line of mission-critical switches sold by GarrettCom competitor RuggedCom.
The Industrial Control Systems Cyber Emergency Response Team has issued an advisory recommending users of the GarrettCom devices install a security update that locks down the factory account.
Leave a Reply