Every RuggedCom device starts with 00-0A-DC (http://www.coffer.com/mac_find/?string=ruggedcom). Even without the MAC, you really only have to search 2^24 possible passwords. And that's assuming they randomize their mac allocations.
What is most disturbing is that they knew about this since a year now and have still not acted on that - even with all the press around Stuxnet.
BTW - RuggedCom was recently sold to Siemens for C$382 million - hope they have informed them about this issue otherwise I guess it soon will be lawyer time.
I would love to know if this was ever disclosed to Siemens, especially prior to the purchase.
In any case, someone is RuggedCom should be fired for doing nothing about this. My impression after reading the Seclist notice is that they were playing a waiting game.
Oh good, then at least next time when Siemens develops and helps deploy more Internet censoring infrastructure for oppressive regimes again, there'll be some backdoors in it!
The backdoor has national, international, and local security implications. The user name is "factory" and the password is based on the unit's MAC address. That pretty strongly indicates it was intended for factory initialization and recovery of mis-configured devices, not a backdoor in the name of "national security".
"Factory" user/password combinations have long been a problem - often not revealed to the purchaser of the equipment[1][2]. This one is especially bad because it cannot be disabled even if the user knows about it.
This is a common problem in industrial firmware; Allen Bradley PLC's and frequency drives had a well known backdoor for years prior to the Rockwell acquisition. (And for some time after, since AB can't retire an old product.)
So, now that this is out, what do the admins for these compromis-able systems do. Presumably RuggedCom has not got a patch out yet, so they just sit there?
> So, now that this is out, what do the admins for these compromis-able systems do. Presumably RuggedCom has not got a patch out yet, so they just sit there?
There are often no "admins" of these systems. They are installed, the support contract lapses, and they continue to run—vulnerabilities and all. Sometimes there may have been an air-gap, but a desire for remote management results in a 'net link being connected. A VPN or firewall is typically the only security in-place.
The systems often run beyond what we in IT could call a sensible shelf live, because they're the control system for a major plant or piece of infrastructure. Shutting them down to do the upgrade bears a cost of its own (note that I am not condoning this behaviour).
It's disappointing, and dangerous, but hopefully as we move to more generalised hardware and IE60850/IP (over ModBus, DNP3, etc) solutions, things will improve. I think some organisations are running a race they're destined to lose though, especially as intruders set their sights on these weaknesses.
not so long ago botnets were used to blackmail sites into paying DDOS "protection". Ifyou knew enough to command a piece ofplant to exceed it's design parameters you could blackmail quite effectively. Stuxnet but for profit.
What's interesting is the NERC CIP push from federal to get power distribution devices onto a common IP network. I'm a bit fuzzy on the details, but there are major incentives and/or regulations to doing this, and it's a pretty important inflection point for the technology used in power companies. Even then, there are only a handful of companies playing in that space (Ruggedcom, Siemens, Cisco, some other traditional manufacturing PLC folks).
From my experience most of these devices are read-only monitors, but I'm sure there are exceptions. This little issue could be a big deal for their certification. I'm surprised they didn't take it more seriously. This is the hackers-will-take-over-our-power-grid kind of scenario the public doesn't like to think about.
Basically, this is instant access to any control system out there. MAC address can be had trivially.
The researcher who did this did this with minimal resources.
Guess what a foreign government/agitator will do?
The algorithm looks pretty trivial. All it does is take the mac address, reverse the byte ordering, and use the result modulo 999999929.
That's probably simple enough that even I could read it in assembly and figure it out. I don't know if getting a firmware image is difficult, but the actual generator certainly isn't the hard part here.
I'm wondering if that modulo value has any meaning - looking at it in a few different formats hasn't immediately struck any sparks with me.
