Schneier on Security
A blog covering security and security technology.
« Peruvian Spider Species Creates Decoys |
| Cryptography Engineering Available as an eBook »
December 26, 2012
Hackers Use Backdoor to Break System
Industrial control system comes with a backdoor:
Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. "[Th]e published backdoor URL provided the same level of access to the company's control system as the password-protected administrator login," said the memo.
The security of this backdoor is secrecy. Of course, that never lasts:
Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.
Posted on December 26, 2012 at 6:05 AM
• 10 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Is this a repeat? Because I'm pretty sure I've commented on this exact story before....
Why are these systems connected to the Internet? When I worked in industrial automation the security was to not plug in the network cable unless we needed to do remote debugging of the system. You can't remotely break in to a system with that level of security
I'm sure I've read that question a million times before on stories like this. Why did you use a network cable for your own systems, rather than a serial cable, or even a USB drive? Why use remote debugging instead of pulling the code off the PLC itself through the com port?
Remember, though, that systems not connected to the internet can still be hacked. Think stuxnet. Given how sophisticated stuxnet apparently was, this type of attack probably doesn't currently represent a real threat to most users. That doesn't mean it won't be in the future (knowledge and information has a tendency to spread.)
Vulnerabilities like this one exist because the vendor who makes the system had users demanding it, and none demanding that no such backdoor exist (or at least that it be possible to turn it off).
The only solution that will stick is to make companies that install these things responsible for the cost of disasters they cause or enable. And sooner or later, somebody will exploit them.
According to Ars Technica, a search of Shodan earlier this year by Rios uncovered more than 20,000 of the Niagara systems connected to the internet.
In which case I find it hard to believe that only one has been breached.
We design security systems for museums worldwide. Nearly every client wants us to allow managers to sign in to the access control and CCTV systems from home for no better reason than convenience. IT managers who should know better also want access via the Internet. We fight this battle with every project and refuse to accommodate the request. But we find, after the job is done, that the client adds this "feature" without the knowledge of their security consultant or insurer. And we often find back doors left by the contractor in spite of a specification prohibiting it.
how do you protect yourselves from client tinkering? I assume you would have to prove it, not likely any of them will come forward and admit they shot themselves in the foot by adding a little convenience...
I was actually going to mention STUXNET and the idea of hacking the industrial system indirectly by compromising the engineer's computer. It's possible, but the attacker would need a fair amount of information about the system beforehand, such as the PLC's addressing system, what devices are in the PLC rack and which machines are connected to each terminal. That would suggest physical access and schematics to work from.
The problem is, "system not connected to the Internet" is actually more a case of "system you don't expect to be connected directly to the Internet". Stuxnet managed to jump a genuine airgap by using memory sticks as an ultra-high latency connection between the Internet and 'isolated' systems; right back to Mitnick, you'd find unguarded dialin ports, modems connected to serial ports people had forgotten about etc.
Technican, checking email/sports scores on a smartphone while monitoring the "isolated" system - plugs in on USB to charge it, or it happens to have Bluetooth available to jump the airgap, or they bring in a photo of their family on a memory stick to use as the wallpaper - game over.
If the support people don't have a backdoor, the customers think the support people are stupid and incompetent. You can't sell maintenance contracts if your support people have a rep for being stupid and incompetent. No customer wants to pay for support people who aren't gods.
In my support job I regularly explain "social engineering" to people who think knowing the 800 number should get them the keys to the kingdom. I'm sure some of them just roll their eyes, call back, and get someone else on the hotline who is less scrupulous.
It's not right, but this is the world we work in, and customers tend to get what customers want.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.