Back on 5 July 2012 we added a counter in the right column of our home page: “Schneider Has Not Removed Modicon FTP Backdoor Accound in xxx days.” This was prompted by Ruben Santamarta’s disclosures of the account, but was based off of a December 2006 date when we created a plugin for Nessus that identified the account. As of June 4 the counter was up to 2363 days. Hard to believe.
Tuesday of this week ICS-CERT issued an update to the Schneider Electric Quantum Ethernet Module Hard-Coded Credentials advisory. So the question is have the hard coded FTP credentials been removed thereby stopping the clock?
Based on the information in the advisory the answer is no. The credentials have not been removed and the counter continues.
The advisory states:
Schneider has also created a patch for the HTTP and FTP service that is available on selected Quantum PLC. This patch has a new feature that allows the user to disable the FTP service on modules.
There is no information stating the hard coded credentials are removed.
Future firmware upgrades will likely require FTP be enabled, and there is an open question of how secure is the process of enabling / disabling FTP. Can a hacker simply enable FTP over the network and then use the hardcoded backdoor accounts?
I have taken a break from criticizing ICS-CERT to avoid boring loyal readers, but this bears comment.
An owner/operator reading this advisory or reasonably searching the ICS-CERT would have no idea that the Modicon PLC is insecure by design. It still has unauthenticated ladder logic upload, which allows an attacker to modify the process a la Stuxnet. An attacker with logical access can still start and stop the PLC, and this is all easily demonstrated with the Project Basecamp Metasploit Modules.
Modicon users are still reliant on the keep the bad guys out, security perimeter defense. They lack the defense in depth that is so often heralded as a key tenet of ICS security. We are still waiting for DHS to say that critical infrastructure owner operators should be upgrading or replacing these insecure by design field devices.
For those who say this is not the role of the CERT, understand that DHS has changed its brand and all DHS activities related to ICS are under the ICS-CERT banner.