UPDATE – The vulnerability was found by Justin W. Clarke, an independent security researcher in San Francisco, California.
We don’t cover most of the ICS vulnerabilities on this site, but the Ruggedcom Undocumented Backdoor Access is a huge risk and pathetic display of vendor response if the details on full-disclosure are correct.
Ruggedcom is the Cisco of network infrastructure equipment that is packaged and hardened for the industrial environment (Hirschmann would be the Juniper or vice versa). It is very common to have the IT staff pushing for Cisco and the operations staff demanding a ruggedized router or switch, often Ruggedcom. Increasingly Ruggedcom is being used as a perimeter security device for field sites as they have integrated security features.
According to a full disclosure post by author JC, the Ruggedcom devices have a hard coded account named ‘factory’ and a fixed password that is generated from the MAC address. So learn the MAC address and get the credentials to login to the Ruggedcom network infrastructure device.
According to JC, this is in all versions of the Rugged Operating System (ROS). The analogue would be finding a backdoor account with deterministic password in Cisco’s IOS.
It’s bad enough that Ruggedcom has allowed this shoddy security practice into the product line, but then when called on it, they failed to react. According to JC’s timeline, Ruggedcom was notified in April 2011. After no fix was forthcoming, JC notified US-CERT in February 2012. With no fixed planned, he went public today.
Why was this not fixed? It actually shouldn’t be that difficult to fix a hard coded account, deterministic password … unless it is used for something such as management or updates. So you have the unpleasant choice of either truly embarrassing response to a serious vulnerability or a backdoor that is important and used.
Ironically Siemens purchased Ruggedcom for US$381M in January. Clearly Siemens cannot be blamed for this vulnerability, but it would be curious to know if Siemens knew about this at purchase or since purchase.
Image link to article by Channel Insider