Secret account in mission-critical router opens power plants to tampering
The branch of the US Department of Homeland Security that oversees critical infrastructure has warned power utilities, railroad operators, and other large industrial players of a weakness in a widely used router that leaves them open to tampering by untrusted employees.
The line of mission-critical routers manufactured by Fremont,
California-based GarrettCom contains an undocumented account with a
default password that gives unprivileged users access to advanced
options and features, Justin W. Clarke, an expert in the security of
industrial control systems, told Ars. The "factory account" makes it
possible for untrusted employees or contractors to significantly
escalate their privileges and then tamper with electrical switches or
other industrial controls that are connected to the devices.
Modbus and DNP communications protocols used to natively administer industrial control and supervisory control and data acquisition gear.
Search results recently returned by the Shodan computer search engine
showed nine of the vulnerable devices connected to the Internet using
US-based IP addresses. If the default credentials haven't been changed,
the undocumented factory account can allow people with guest accounts to
gain unfettered control of the devices, said Clarke, who is a
researcher with Cylance, a firm specializing in security of industrial
"Cylance has identified an unforeseen method whereby a user
authenticated as 'guest' or 'operator' can escalate privileges to the
'factory' account," an advisory published by the company
warned. Clarke told Ars he discovered the account after buying a device
off of eBay for $12 and analyzing the way it worked. Clarke is the same
researcher who discovered an undocumented account with a hard-coded password in a similar line of mission-critical switches sold by GarrettCom competitor RuggedCom.
The Industrial Control Systems Cyber Emergency Response Team has issued an advisory recommending users of the GarrettCom devices install a security update that locks down the factory account.
artigo completo na ArsTechnica