Koyo/Automation Direct has responded to Basecamp and has made many of the right moves. Yesterday’s ICSA-12-102-02 pretty much says it all: Koyo has disabled the device’s webserver by default, and they’ve added a lockout feature to password guessing. Hosteng.com has the latest versions of firmware available for download, and the changelog for our version (available here, and dated March 26th) indicates that 3 incorrect passcode attempts will result in a five minute lockout.
I’ve said it before, but I’ll say it again: webservers on embedded products are a big ‘dumb’. Without very careful careful development, it’s just too easy to make your own bugs. Bugs in devices that are ultimately responsible for controlling a process are probably the worst — they can ruin process integrity and then cause for painful upgrades down the road. I think that leaving embedded webservers disabled should be the default state for all control devices, and especially for those with actual process I/O.
For all of the full disclosure naysayers, it is notable that vulnerabilities in the Koyo webserver were first disclosed at S4 in 2009 by Digital Bond alum Daniel Peck. Holding a vendor’s feet to the fire certainly seems to have paid off in this case.
To be fair, these were easy changes for Koyo to make. They actually designed their controller with some semblance of security in mind (a passcode that is actually enforced in the controller is an amazing thing — even if it’s plaintext, it puts their protocol a cut above the rest). They also didn’t engineer their controller to rely upon the webserver for any settings. Other vendors should probably be taking notes here.
We have yet to hear a response from General Electric about their D20 issues, nor any inkling of a plan from Schneider Electric to do away with the hard-coded backdoor credentials and lack of authentication in their Quantum series. Schneider’s metering division gives me a little hope that can re-engineer their controllers to add security features, but time will tell.
Image by alextorrenegra