RuggedCom Inserts Backdoor into Its Products
All RuggedCom equipment comes with a built-in backdoor:
The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, “factory,” that was assigned by the vendor and can’t be changed by customers, and a dynamically generated password that is based on the individual MAC address, or media access control address, for any specific device.
This seems like a really bad idea.
No word from the company about whether they’re going to replace customer units.
EDITED TO ADD (5/11): RuggedCom’s response.
Frank, Ch. Eigler • May 9, 2012 6:29 AM
Not quite “no word from the company”: http://www.ruggedcom.com/productbulletin/ros-security-page/