Siemens’ RuggedOS kit open to eavesdropping
- — 23 August, 2012 14:12
The US Department of Homeland Security (DHS) is warning that equipment from Siemens-owned industrial switch vendor RuggedCom is vulnerable to eavesdropping.
Cylance Inc security researcher Justin Clarke last week revealed an encryption vulnerability in RuggedCom network devices could allow an attacker to decipher encrypted traffic between connected devices. Clarke released proof-of-concept exploit code for the flaw.
RuggedCom switches have been deployed across a number of Australian transport corporations including the Australian Rail Track Corporation (ARTC), Queensland Rail, Public Transport Authority WA, Rio Tinto, Transgrid and Hydro Tasmania. All have deployed RuggedCom’s RS400 switch that contains the embedded Rugged Operating System (ROS), according to an ARTC document detailing an approval to use the switch as part of a signalling system.
The vulnerability stems from the fact a hardcoded RSA SSL private key in ROS can be identified.
“With the private key from a server being a known value it is not difficult to decrypt any traffic to/from the device,” Adrien de Beaupré of Canadian security firm Intru-shun.ca Inc wrote on SANS Institute’s blog Wednesday.
The key management flaw also exposes those switches to other compromised devices on a shared network, explained Reid Wightman from control system security consultancy Digital Bond.
“[A]ny compromised host on the switch management network can be used to spoof affected RuggedCom switches, meaning that the bad guy or gal could capture legitimate usernames and passwords for the switch,” he wrote, adding it was typical of "cheap consumer-grade embedded products".
Once inside ROS, Clarke found that finding the key was an easy task, telling Reuters, “there is almost no authentication, there are almost no checks and balances to stop you."
DHS’s recommended mitigation measures include:
• Minimise network exposure for all control system devices. Control system devices should not directly face the Internet. • Locate control system networks and devices behind firewalls, and isolate them from the business network. • If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognising that VPN is only as secure as the connected devices.
Clarke was also responsible for finding a backdoor in [[xref: http://www.kb.cert.org/vuls/id/889195 |RuggedCom’s|]] switches that used “factory” for the account name and relied on a password based on the device’s MAC address.
He detailed his year long struggle with RuggedCom to have the backdoor closed and the weak password fixed before deciding to publish it on seclists this April.