I’m a week or two late on this, but I think that the community as a whole has paid far too little attention to the advisory released a few weeks ago by the folks at C4/CERT, and the response to them by Rockwell. Full disclosure, I have not personally verified these findings as we don’t have a Micrologix device in our lab, but trusting CERT for basic details is usually fine.
Let me start off by saying that I really don’t have a problem with poor security if you aren’t trying to be secure. If a trade off has been made for usability, safety requirements, or something else, then that is the prerogative of the business and those in charge of keeping its processes going. While I believe its usually a misguided choice, at least its a choice. What does bother me are security features that provide a false sense of security.
Which brings us back to the advisory. Specifically the line:
“During the authentication process, the PLC transmits the management password in plain text to the client.”
The user attempting to authenticate to the device is sent the password, in plain text no less, that they need to respond with to authenticate. That’s bad. The authentication model of the device relies on the users being nice enough to use the provided client software. This is client side authentication at its worst, and I would have thought that a professional developer with any sort of training, or experience, would have realized that that is poor design and something that should never be used.
But why should we even care about this when most devices like this don’t have any sort of authentication built in at all? Because it misleads the end user as to what their security expectations should be for the device. It could lead to opening up a hole in their firewall, allowing access from anywhere on the corporate or the control network. It requires authentication so that would be fine, right?
But it doesn’t end there, the gap between any sort of security understanding and this vendor is even more evident in their response to these vulnerabilities, contending that it would take a “highly skilled, unauthorized person, using specific tools to intercept the controller password.” Highly skilled to examine the network traffic directed at their system? And use specific tools? What does that even mean? Isn’t any given tool a specific tool? Sounds like someones PR/marketing department is a little too involved in the disclosure process. And I’m still scratching my head over the workaround advice to change the password frequently.
Vulnerabilities like this give a glimpse into the security education and development process inside the company walls, and what we’re all seeing isn’t pretty. We’ve been pushing for a while that operators and vendors alike raise the bar of security expectations in control systems, but issues like this, which are poorly thought out at best and intentionally misleading at worst, is not the way to do it.