SCADA manufacturers Schneider Electric have been found to be shipping products with embedded passwords.
Simon Heming, Maik Brüggemann, Hendrik Schwartke and Ralf Spenneberg from Germany's Open Source Security discovered the issue and said they went public because Schneider didn't respond to their findings.
Users of Schneider's Modicon TM221CE16R firmware 18.104.22.168 are stuck, because they can't change the password. It comes with encrypted the user/password XML file with the fixed key “SoMachineBasicSoMachineBasicSoMa”.
That means an attacker can open the control environment (SoMachine Basic 1.4 SP1), fetchand decrypt the user file and do as they please.
The researchers highlighted another threat, also on the TM221CE16R, firmware: the password protecting its applications can be retrieved remotely without authentication.
A user need only send the command below over Modbus using TCP Port 502:echo -n -e '\x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00' | nc IP 502
“After that the retrieved password can be entered in SoMachine Basic to download, modify and subsequently upload again any desired application”, the researchers wrote.
America's ICS-CERT classifies Schneider Modicon kit as falling in the “Critical Manufacturing, Food and Agriculture, Water and Wastewater Systems” critical infrastructure sector.
In a statement to SC Media UK, Schneider Electric acknowledged the vulnerability and said: “Conscious about user cyber-security concerns, Schneider Electric places a high priority on the evaluation of security research as it becomes available and produces documentation to advise users on mitigations that can be taken if they are required.”
“Because of an issue in our standard process for interactions with cybersecurity advisory and consulting firms, we have missed the opportunity to respond to the researchers from OpenSource Security (Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg) and offer mitigation to users, and we do apologise for this. We're reviewing and updating our processes to make sure such a situation never happens again.”
Mark Kuhr, CTO at Synack told SC: “These types of vulnerabilities are still common in hardware components that are manufactured at scale. It is difficult to adjust the manufacturing process to burn custom firmware (with a new password for each device). Moreover, randomising the password per device would be best practice, but this does put a burden on the installer/end-user to keep track of these passwords. In some cases, the convenience of having a single password outweighs the security concerns.”
Kuhr added: “The vendor does provide recommended compensating controls such as controlling network access to the logic controller -- basically -- don't put it on the Internet directly. A recent posting from US-CERT indicates the vendor has been patching various other vulnerabilities in the M221 logic controller series that could be exploited by an attacker. Unfortunately, these types of devices are not well tested for security vulnerabilities because they are most often installed on isolated networks -- we need to change this mindset and take an offensive approach to discover these vulnerabilities ahead of our adversaries.”