06:00 PM
Connect Directly

Researchers Out Default Passwords Packaged With ICS/SCADA Wares

'SCADAPass' tool debuts; meanwhile, some PLCs found hackable via long, random passwords.

ICS/SCADA researchers from Russia have published online a list of popular industrial systems that come packaged with default passwords in hopes that the vendors--which include a who's who in ICS/SCADA--will change their ways in that practice.

The so-called SCADAPass list includes more than 100 products, ranging from controllers to Web servers and from big-name vendors such as Allen-Bradley, Schneider Electric, and Siemens. The researchers gathered information on the products with default passwords such as "admin.admin," "password," "root," and "administrator," from various sources, including the open passwords lists and vendor documentation. They say it's only the "tip of the iceberg" of ICS/SCADA products that come packaged with default authentication.

Default passwords are those that come factory-shipped with the product. A customer (a utility, for example) or its installer would be responsible for setting a new and strong password much like IT administrators are expected to do with their network equipment or other devices. But the researchers say that mentality isn't always a given in the ICS/SCADA world.

"The goal is to change mindset of vendors, who use simple/default passwords in industrial systems without proper security controls -- change on first logon, password complexity, etc. The approach of vendors from IT world," where users are expected to change the default password upon installation in most cases, doesn't work in the ICS world, says Sergey Gordeychik, a member of the SCADA StrangeLove Team of white hat hackers who compiled and posted the SCADAPass list.

"Operators prefer to use 'If it works, don't touch it' principle. Sometimes they even do not have information about different features of control devices," he says. Simple passwords--or none at all--are acceptable for locally accessed and physically protected systems such as HMI or MES panels, he says. However, if they use same authentication for network or radio access, this is a problem. Big problem," Gordeychik says.

He says he and the team stopped short of including "a long list" of hardcoded passwords they have found in their research. Hardcoded passwords can't be changed by the user.

The danger, of course, is getting remote root access to an industrial router, a PLC, or other ICS/SCADA device, basically makes access game over. Exploitation would require an attacker to know the industrial process -- say, water treatment -- to wage a damaging attack, he says.

Finding ICS/SCADA systems with default credentials isn't difficult, however, notes Dale Peterson CEO at ICS/SCADA consulting firm Digital Bond. "We've had our own internal lists like that for years, and we keep adding to them when we come across" more, he says.

The upside to publishing SCADAPass, he says, is that it could help flag these passwords for ICS/SCADA operators. But the tradeoff is these have been flagged to be added to password lookup tools, he says.

Peterson says his firm sometimes finds default credentials in their clients' networks. "The IT security guys have no idea what credentials they should be testing," so SCADAPass could be a useful tool for them, he says.

Hacking Via Big Fat Passwords

Meanwhile, specially crafted passwords also can be used to hack some ICS/SCADA equipment: researchers at CyberX discovered a zero-day flaw in several models of Schneider Electric Modicon M340 PLC products found in some nuclear reactors, water and wastewater sites, and transportation systems.

CyberX found a buffer overflow flaw in the products that can be exploited when a random password of between 90 and 100 characters is typed into the PLC's web interface. It basically crashes the device, and allows an attacker to execute code remotely. Schneider has patched some of the affected models, but several more will be patched on Jan. 16.

Nir Giller, CTO of CyberX, says the hack is a bit ironic given that it exploits the authentication mechanism in the products. "This is the first time we've seen you being able to do a buffer overflow using a password field," he says.

An attacker performing this attack on a master industrial controller could shut down a master PLC, for example, and disable the operations network, Giller notes. The attack could escalate from there, says Giller, who will demonstrate the attack next week at the S4 ICS/SCADA conference in Miami.

Schneider had not responded to press inquiries as of this posting.

Digital Bond's Peterson says ICS/SCADA plant operators should pay more attention to remote access to their control systems. "The biggest risk is allowing a lot of people remote access into your control systems -- employees, vendors, and consultants," Peterson says. That leaves the door open for breaches, especially via a clever spear phishing attack that steals one of those users' credentials, he notes.

And since most ICS/SCADA sites still only sparingly patch their systems if at all due to their emphasis on uptime and operations, risk management and reduction are crucial to keeping plants secure from hackers, experts say.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/14/2016 | 10:07:26 AM
Building Control System Integrator Perspective
I come from the BMS (building management systems)/FMS (facility management systems) space and tyically we are rolled into ICS/SCADA.  While a close fit, it is not an exact fit.  Our communtiy is trying to design and implement control systems securely.  However, older systems, for the most part, are forgotten.  It is these systems that this list impacts greatly.  Too many of us left behind default username and passwords as well leaving ports set to the default port.  This article emphasizes the need for us, the BMS/FMS integrators, to reach out to our installed customer base and at lease let them know that these systems need have the default settings changed.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
1/6/2016 | 4:37:11 PM
Re: Acronyms
Thank you for sharing this, @Dave. I will definitely keep that in mind for future stories.
User Rank: Apprentice
1/6/2016 | 3:53:37 PM
This was a very interesting article but I have one peeve, usage of acronyms w/o spelling out their full name at the first use. Given how technical the article is I believe it's necessary (and proper manual of style). Given my casual interest I had to look up quite a few. Otherwise, nice article.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.