And cue Eadon
with another unrelated Windoze rant.
Security researchers have uncovered hard-coded user accounts that could act as backdoors into food, car, and agricultural production systems across the world. The flaw, which allows attackers to launch remote exploits, was found in a pair of industrial control devices. The security hole was found in the BL20 and BL67 …
with another unrelated Windoze rant.
And cue Eadon
WITH ANOTHER UNRELATED WINDOZE RANT.
....or..... don't connect production machines directly to the internet - if they must be reachable remotely - at the very least use VPN!
Yeah, cause that worked so well to stop Stuxnet.
I do sympathize with the vendors. You send out the kit and some clueless git calls you after they've bolluxed the system wanting you to remote in to fix it. Only they don't know a working access code so what do you do? If you have a backdoor, you have an avenue for repairs.
But the security daemons are correct, it's a huge gaping hole. And while it might not be bright neon lights to your typical Anonymous LUser, it is for the threat you really should be concerned about: state entities or groups sponsored by them.
If you have a backdoor, you have an avenue for repairs.
Why isn't this back door disabled by default? Why not have a physical 'unbollux' switch on the device to enable it, which must be turned off to resume normal operations? Why is there a common backdoor account for all these devices, instead of single device accounts which would need to be looked up by serial number to gain access? Neither of these are particularly high tech, and neither are particularly sophisticated (the latter has the account database as a single leakable point of security failure) but even these basic steps were not taken. I'm not even a security guy; I'd like to imagine that there are 'best practises' out there that people should really be using by now that are rather better than my ill-informed ideas.
I have minimal sympathy for the vendors. If this is new kit, as opposed to stuff from the Bad Old Days of No Security Whatsoever, it is totally inexcusable as opposed to being just a poor and short-sighted design decision with serious consequences.
That would be too much like right. In fact, I would wager that the result of this will be that instead of a relatively unknown flaw on all of these systems, there will be a well-publicized flaw on most of them as their admins fail to patch them properly or in a timely manner.
I know that this is a recurring theme in network and system security, but it would seem to me that a vendor could gain a reputation for security simply by implementing and promoting its willingness and ability to update its systems in much the same way many apps and OSes currently do: automatically. We see a lot of stories involving appliance, SCADA, and embedded systems not being updated because admins are just not getting the job done. How many systems out there get the job done painlessly and consistently?
Part of it is that 'security research firms' are gagging for a chance to blow the lid off something. Most of these firms don't get any work until they can prove they know their stuff so they publicize vulnerabilities as soon as they can. Part of it is complexity in designing a fix. Many times, especially with hardware, the people who designed the original code are no longer around & getting it straight is a huge deal. And sometimes the manufacturer simply doesn't want to acknowledge the issue.
It is all a mess.
Customers demanded remote access so they didn't to send a truck and a service person out to drive miles to change a setting on a traffic light, storm sewer or air quality monitor
Then they demanded that they use regular wifi/gsm etc so that they could dump the fixed phone line.
At no point did they say they would pay extra for milpec security and so the suppliers didn't fit it
You might as well ask why your home isn't fireproof or your car isn't theft proof - because the costs outweigh the risks
Even a cheap home router can be set to not pass FTP traffic. When access is needed then log in to the router to enable the traffic then disable it afterwards. For older kit where updates are no longer readily available or where taking the device offline would cause too much disruption using a router to filter the traffic is a cheap fix (much less than £100 per device to be secured)
You don't say? Backdoors hardcoded into commercial software?
Hello I am the government here to tell you not to have back doors in systems because that is insecure.
Now I will pass some laws saying everything must have a back door so I can keep track of everything because of the terrorism. But this time Don't Tell The Media at least until I make laws banning third party security consultants and media disclosure.
Just in case anyone thinks Dan 4 is exaggerating, I can tell you for a fact he isn't.
Even worse - every country in the world then demands the same facility.
So you have to either design 178 different secure backdoors and ensure that you sell the correct model to each country. Or you create a single law enforcement backdoor and give the same access to everyone.
So the radios you are supplying to the police in the USA have a backdoor and you tell the security services of the "enemy country of the day" the code, because they bought the same radio
I brought a tin of alphabetty-speghetti the other day and the only letters it contained were, L, O, Z, S, E and C.
Bloody Anonymous hacked my sodding dinner!
And the same Feds demand back doors (which always end up hacker-friendly, even they're not supposed to be) in communications.
At the end of the day, it seems that the only way to truly secure any piece of networked gear boils down to physical security, e.g. no connection to the internet at all, a backdoor-enable switch as suggested by "Ru" above, or some similar measure that no amount of hacking can overcome. There's still the problem of social engineering, so maybe making that switch one operated by a lock and key is necessary. Otherwise, a stupid secretary gets an email "go flip switch J on box A" and does it.
"Otherwise, a stupid secretary gets an email "go flip switch J on box A" and does it."
Ahh!, the old and trusted Social Engineering tricks. I don't think there's a lock in the market complex enough that it can beat human gullibility and ignorance.
I was hoping they were talking about vending machines included in that group.
The US Congress should enact leglislation, immediately, to outlaw the use of Turck products in the US.