06:00 PM
Connect Directly

Researchers Out Default Passwords Packaged With ICS/SCADA Wares

'SCADAPass' tool debuts; meanwhile, some PLCs found hackable via long, random passwords.

ICS/SCADA researchers from Russia have published online a list of popular industrial systems that come packaged with default passwords in hopes that the vendors--which include a who's who in ICS/SCADA--will change their ways in that practice.

The so-called SCADAPass list includes more than 100 products, ranging from controllers to Web servers and from big-name vendors such as Allen-Bradley, Schneider Electric, and Siemens. The researchers gathered information on the products with default passwords such as "admin.admin," "password," "root," and "administrator," from various sources, including the open passwords lists and vendor documentation. They say it's only the "tip of the iceberg" of ICS/SCADA products that come packaged with default authentication.

Default passwords are those that come factory-shipped with the product. A customer (a utility, for example) or its installer would be responsible for setting a new and strong password much like IT administrators are expected to do with their network equipment or other devices. But the researchers say that mentality isn't always a given in the ICS/SCADA world.

"The goal is to change mindset of vendors, who use simple/default passwords in industrial systems without proper security controls -- change on first logon, password complexity, etc. The approach of vendors from IT world," where users are expected to change the default password upon installation in most cases, doesn't work in the ICS world, says Sergey Gordeychik, a member of the SCADA StrangeLove Team of white hat hackers who compiled and posted the SCADAPass list.

"Operators prefer to use 'If it works, don't touch it' principle. Sometimes they even do not have information about different features of control devices," he says. Simple passwords--or none at all--are acceptable for locally accessed and physically protected systems such as HMI or MES panels, he says. However, if they use same authentication for network or radio access, this is a problem. Big problem," Gordeychik says.

He says he and the team stopped short of including "a long list" of hardcoded passwords they have found in their research. Hardcoded passwords can't be changed by the user.

The danger, of course, is getting remote root access to an industrial router, a PLC, or other ICS/SCADA device, basically makes access game over. Exploitation would require an attacker to know the industrial process -- say, water treatment -- to wage a damaging attack, he says.

Finding ICS/SCADA systems with default credentials isn't difficult, however, notes Dale Peterson CEO at ICS/SCADA consulting firm Digital Bond. "We've had our own internal lists like that for years, and we keep adding to them when we come across" more, he says.

The upside to publishing SCADAPass, he says, is that it could help flag these passwords for ICS/SCADA operators. But the tradeoff is these have been flagged to be added to password lookup tools, he says.

Peterson says his firm sometimes finds default credentials in their clients' networks. "The IT security guys have no idea what credentials they should be testing," so SCADAPass could be a useful tool for them, he says.

Hacking Via Big Fat Passwords

Meanwhile, specially crafted passwords also can be used to hack some ICS/SCADA equipment: researchers at CyberX discovered a zero-day flaw in several models of Schneider Electric Modicon M340 PLC products found in some nuclear reactors, water and wastewater sites, and transportation systems.

CyberX found a buffer overflow flaw in the products that can be exploited when a random password of between 90 and 100 characters is typed into the PLC's web interface. It basically crashes the device, and allows an attacker to execute code remotely. Schneider has patched some of the affected models, but several more will be patched on Jan. 16.

Nir Giller, CTO of CyberX, says the hack is a bit ironic given that it exploits the authentication mechanism in the products. "This is the first time we've seen you being able to do a buffer overflow using a password field," he says.

An attacker performing this attack on a master industrial controller could shut down a master PLC, for example, and disable the operations network, Giller notes. The attack could escalate from there, says Giller, who will demonstrate the attack next week at the S4 ICS/SCADA conference in Miami.

Schneider had not responded to press inquiries as of this posting.

Digital Bond's Peterson says ICS/SCADA plant operators should pay more attention to remote access to their control systems. "The biggest risk is allowing a lot of people remote access into your control systems -- employees, vendors, and consultants," Peterson says. That leaves the door open for breaches, especially via a clever spear phishing attack that steals one of those users' credentials, he notes.

And since most ICS/SCADA sites still only sparingly patch their systems if at all due to their emphasis on uptime and operations, risk management and reduction are crucial to keeping plants secure from hackers, experts say.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/14/2016 | 10:07:26 AM
Building Control System Integrator Perspective
I come from the BMS (building management systems)/FMS (facility management systems) space and tyically we are rolled into ICS/SCADA.  While a close fit, it is not an exact fit.  Our communtiy is trying to design and implement control systems securely.  However, older systems, for the most part, are forgotten.  It is these systems that this list impacts greatly.  Too many of us left behind default username and passwords as well leaving ports set to the default port.  This article emphasizes the need for us, the BMS/FMS integrators, to reach out to our installed customer base and at lease let them know that these systems need have the default settings changed.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/6/2016 | 4:37:11 PM
Re: Acronyms
Thank you for sharing this, @Dave. I will definitely keep that in mind for future stories.
User Rank: Apprentice
1/6/2016 | 3:53:37 PM
This was a very interesting article but I have one peeve, usage of acronyms w/o spelling out their full name at the first use. Given how technical the article is I believe it's necessary (and proper manual of style). Given my casual interest I had to look up quite a few. Otherwise, nice article.
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.