Equipment Maker Caught Installing Backdoor Account in Control System Code

A RuggedCom switch and server (shown on either side of the electrical outlet) have a manufacturer-installed backdoor in their operating systems. Photo: Courtesy Justin W. Clarke

A Canadian company that makes equipment and software for critical industrial control systems planted a backdoor login account in its flagship operating system, according to a security researcher, potentially allowing attackers to access the devices online.

The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, “factory,” that was assigned by the vendor and can’t be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device.

Attackers can uncover the password for a device simply by inserting the MAC address, if known, into a simple Perl script that Clarke wrote. MAC addresses for some devices can be learned by doing a search with SHODAN, a search tool that allows users to find internet-connected devices, such as industrial control systems and their components, using simple search terms.

Clarke, who is based in San Francisco, says he discovered the backdoor after purchasing two used RuggedCom devices – an RS900 switch and an RS400 serial server – on eBay for less than $100 and examining the firmware installed on them.

RuggedCom server containing a backdoor that was purchased on eBay by a researcher. Photo: Courtesy Justin W. Clarke

Clarke said the equipment had labels on them with French writing that made it appear they had been used for a substation at a utility in Canada.

RuggedCom switches and servers are used in “mission-critical” communication networks that operate power grids and railway and traffic control systems as well as manufacturing facilities. RuggedCom asserts on its website that its products are “the product of choice for high-reliability, high-availability, mission-critical communications networks deployed in harsh environments around the world.”

Clarke says he notified RuggedCom about his discovery in April 2011 and says the representative he spoke with acknowledged the existence of the backdoor.

“They knew it was there,” he told Threat Level. “They stopped communicating with me after that.”

The company failed to notify customers or otherwise address the serious security vulnerability introduced by the backdoor.

Clarke got busy with his day job, and only took up the issue again recently after a colleague reminded him about it.

He contacted ICS-CERT, the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team, two months ago, which passed the information on to the CERT Coordination Center at Carnegie Mellon University. CERT contacted RuggedCom, but after the vendor’s lack of responsiveness, CERT set a deadline for publicly disclosing the vulnerability on Apr. 13, according to Clarke.

RuggedCom asserted on Apr. 11 that it needed three more weeks to notify customers, but gave no indication that it planned to secure the backdoor vulnerability by issuing a firmware upgrade, according to Clarke.

He told the vendor and CERT that he would wait three weeks if the company assured him that it planned to issue an upgrade that would remove the backdoor at that time. If the company did not respond to him by Apr. 18 or otherwise assure him that it planned to issue the upgrade, he would go public with the information. CERT, he said, supported him in the move.

“CERT came back and said, ‘Listen, you’re free to do what you’ve got to do’,” Clarke said.

When he heard nothing from the vendor on the 18th, Clarke went public with the information on the Full Disclosure security list on Monday.

“If the vendor actually had played along and wanted to fix this and responded in a timely manner, this would have been perfect,” Clarke said. “I wouldn’t have gone full-disclosure.”

RuggedCom did not respond to a call for comment.

RuggedCom, which is based in Canada, was recently purchased by the German conglomerate Siemens. Siemens, itself, has been highly criticized for having a backdoor and hard-coded passwords in some of its industrial control system components. The Siemens vulnerabilities, in the company’s programmable logic controllers, would let attackers reprogram the systems with malicious commands to sabotage critical infrastructures or lock out legitimate administrators.

A hardcoded password in a Siemens database was used by the authors of the Stuxnet worm to attack industrial control systems used by Iran in its uranium enrichment program.

Hardcoded passwords and backdoor accounts are just two of numerous security vulnerabilities and security design flaws that have existed for years in industrial control systems made by multiple manufacturers. The security of the devices came under closer scrutiny in 2010 after the Stuxnet worm was discovered on systems in Iran and elsewhere.

Numerous researchers have been warning about the vulnerabilities for years. But vendors have largely ignored the warnings and criticism because customers haven’t demanded that the vendors secure their products.