Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/4/2016
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers Out Default Passwords Packaged With ICS/SCADA Wares

'SCADAPass' tool debuts; meanwhile, some PLCs found hackable via long, random passwords.

ICS/SCADA researchers from Russia have published online a list of popular industrial systems that come packaged with default passwords in hopes that the vendors--which include a who's who in ICS/SCADA--will change their ways in that practice.

The so-called SCADAPass list includes more than 100 products, ranging from controllers to Web servers and from big-name vendors such as Allen-Bradley, Schneider Electric, and Siemens. The researchers gathered information on the products with default passwords such as "admin.admin," "password," "root," and "administrator," from various sources, including the open passwords lists and vendor documentation. They say it's only the "tip of the iceberg" of ICS/SCADA products that come packaged with default authentication.

Default passwords are those that come factory-shipped with the product. A customer (a utility, for example) or its installer would be responsible for setting a new and strong password much like IT administrators are expected to do with their network equipment or other devices. But the researchers say that mentality isn't always a given in the ICS/SCADA world.

"The goal is to change mindset of vendors, who use simple/default passwords in industrial systems without proper security controls -- change on first logon, password complexity, etc. The approach of vendors from IT world," where users are expected to change the default password upon installation in most cases, doesn't work in the ICS world, says Sergey Gordeychik, a member of the SCADA StrangeLove Team of white hat hackers who compiled and posted the SCADAPass list.

"Operators prefer to use 'If it works, don't touch it' principle. Sometimes they even do not have information about different features of control devices," he says. Simple passwords--or none at all--are acceptable for locally accessed and physically protected systems such as HMI or MES panels, he says. However, if they use same authentication for network or radio access, this is a problem. Big problem," Gordeychik says.

He says he and the team stopped short of including "a long list" of hardcoded passwords they have found in their research. Hardcoded passwords can't be changed by the user.

The danger, of course, is getting remote root access to an industrial router, a PLC, or other ICS/SCADA device, basically makes access game over. Exploitation would require an attacker to know the industrial process -- say, water treatment -- to wage a damaging attack, he says.

Finding ICS/SCADA systems with default credentials isn't difficult, however, notes Dale Peterson CEO at ICS/SCADA consulting firm Digital Bond. "We've had our own internal lists like that for years, and we keep adding to them when we come across" more, he says.

The upside to publishing SCADAPass, he says, is that it could help flag these passwords for ICS/SCADA operators. But the tradeoff is these have been flagged to be added to password lookup tools, he says.

Peterson says his firm sometimes finds default credentials in their clients' networks. "The IT security guys have no idea what credentials they should be testing," so SCADAPass could be a useful tool for them, he says.

Hacking Via Big Fat Passwords

Meanwhile, specially crafted passwords also can be used to hack some ICS/SCADA equipment: researchers at CyberX discovered a zero-day flaw in several models of Schneider Electric Modicon M340 PLC products found in some nuclear reactors, water and wastewater sites, and transportation systems.

CyberX found a buffer overflow flaw in the products that can be exploited when a random password of between 90 and 100 characters is typed into the PLC's web interface. It basically crashes the device, and allows an attacker to execute code remotely. Schneider has patched some of the affected models, but several more will be patched on Jan. 16.

Nir Giller, CTO of CyberX, says the hack is a bit ironic given that it exploits the authentication mechanism in the products. "This is the first time we've seen you being able to do a buffer overflow using a password field," he says.

An attacker performing this attack on a master industrial controller could shut down a master PLC, for example, and disable the operations network, Giller notes. The attack could escalate from there, says Giller, who will demonstrate the attack next week at the S4 ICS/SCADA conference in Miami.

Schneider had not responded to press inquiries as of this posting.

Digital Bond's Peterson says ICS/SCADA plant operators should pay more attention to remote access to their control systems. "The biggest risk is allowing a lot of people remote access into your control systems -- employees, vendors, and consultants," Peterson says. That leaves the door open for breaches, especially via a clever spear phishing attack that steals one of those users' credentials, he notes.

And since most ICS/SCADA sites still only sparingly patch their systems if at all due to their emphasis on uptime and operations, risk management and reduction are crucial to keeping plants secure from hackers, experts say.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
fred.gordy
100%
0%
fred.gordy,
User Rank: Apprentice
1/14/2016 | 10:07:26 AM
Building Control System Integrator Perspective
I come from the BMS (building management systems)/FMS (facility management systems) space and tyically we are rolled into ICS/SCADA.  While a close fit, it is not an exact fit.  Our communtiy is trying to design and implement control systems securely.  However, older systems, for the most part, are forgotten.  It is these systems that this list impacts greatly.  Too many of us left behind default username and passwords as well leaving ports set to the default port.  This article emphasizes the need for us, the BMS/FMS integrators, to reach out to our installed customer base and at lease let them know that these systems need have the default settings changed.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
1/6/2016 | 4:37:11 PM
Re: Acronyms
Thank you for sharing this, @Dave. I will definitely keep that in mind for future stories.
DaveS074
50%
50%
DaveS074,
User Rank: Apprentice
1/6/2016 | 3:53:37 PM
Acronyms
This was a very interesting article but I have one peeve, usage of acronyms w/o spelling out their full name at the first use. Given how technical the article is I believe it's necessary (and proper manual of style). Given my casual interest I had to look up quite a few. Otherwise, nice article.
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Artist Uses Malware in Installation
Dark Reading Staff 5/17/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...