Backdoor Found in RuggedCom Industrial Control Systems
The Rugged Operating System (ROS) comes with a static username and an easily identifiable password.
A security researcher recently uncovered a backdoor login account in the operating system of Canadian industrial control systems equipment maker RuggedCom.
"The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector," writes Wired's Kim Zetter. "The login credentials for the backdoor include a static username, 'factory,' that was assigned by the vendor and can’t be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device. Attackers can uncover the password for a device simply by inserting the MAC address, if known, into a simple Perl script that Clarke wrote."
"Clarke said that he had made 'multiple attempts' to have Ruggedcom remove the back door account and notify customers of its existence," writes Threatpost's Paul Roberts. "Ruggedcom was first notified in April, 2011 and acknowledged the existence of the account in July, 2011 and requested more time to notify customers on April 10, but did not indicate that the company would close the backdoor account."
"Since Clarke's discovery, Ruggedcom has issued a statement urging users to disconnect their equipment -- but has yet to fix the problem," writes Mail Online's Rob Waugh. "'RuggedCom recommends to our ROS customers that they disable device access via Telnet and RSH after initial device configuration is complete. Leaving these protocols enabled represents a security issue that is currently under investigation by RuggedCom,' says the company. 'RuggedCom is continuing to investigate this issue and will provide updates as more information becomes available.'"
"RuggedCom, a Siemens subsiduary, specialises in industrial grade networking equipment for 'harsh environments' and recommends its switches and servers for use in power plants, oil refineries, military environments and traffic monitoring systems," The H Security reports.
"In acknowledging but not fixing a security vulnerability in software that's widely used to control critical infrastructure, RuggedCom joins a growing roster of companies marketing wares bitten by so-called forever-day bugs," writes Ars Technica's Dan Goodin. "The term, which is a play on the phrase zero-day vulnerability, refer to documented flaws in industrial systems that will never be fixed."