US warns of hole in control system routers

The US Department of Homeland Security has warned of a remotely exploitable vulnerability that can open up routers in railway switches and power substations to eavesdropping.

The department's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert for the vulnerability this week (pdf).

Security researcher Justin Clarke demonstrated an exploit that could decrypt traffic between end users and mission-critical routers from Siemens’ Canadian subsidiary RuggedCom.

RuggedCom makes communications equipment designed for harsh environments, and its gear is used in power grids, transportation and railway control systems.

ICS-CERT warned that the routers contained a hard-coded private Secure Sockets Layer (SSL) encryption key. The private SSL key was the same in all RuggedCom devices.

Marcus Carey, a researcher with security firm Rapid7, said potential attackers might exploit the bug discovered by Clarke to disable communications networks as one element of a broader attack.

"It's a big deal," said Carey, who previously helped defend military networks as a member of the US Navy Cryptologic Security Group.

"Since communications between these devices is critical, you can totally incapacitate an organisation that requires the network."

ICS-CERT said the RuggedCom devices should not directly face the internet, be isolated from business networks, and sit behind firewalls.

Remote access methods such as virtual private networks were only as secure as the connected devices, it asserted.

Attacking critical infrastructure

According to Reid Wightman of Digital Bond, a control system security assessment firm, the vulnerability had “the unfortunate effect that Man-In-The-Middle attacks can be performed against [RuggedCom] products”.

“For example, any compromised host on the switch management network can be used to spoof affected RuggedCom switches, meaning that the bad guy or gal could capture legitimate usernames and passwords for the switch."

Wightman said it was a simple and effective attack, similar to what was possible with older versions of Microsoft’s Remote Desktop Protocol clients and Terminal Servers, and typical of faulty security thinking among embedded device vendors.

There have been several security issues involving RuggedCom devices this year, including a factory backdoor in some of the company’s routers.

In July, general Keith Alexander of the US National Security Agency (NSA) said there had been a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011.

Alexander says the attacks were initated by criminal gangs, hackers and other countries.

The best-known cyber attack to date is the Stuxnet worm that attempted to sabotage the Iranian uranium enrichment programme at the Natanz plant.

Stuxnet attacked Siemens supervisory control and data acquisition or SCADA systems and successfully delayed Iran's programme by altering the rotational speed of centrifuges used for the uranium enrichment.

The origins of Stuxnet is still being debated, but the malware is thought to have been written by one or more Western intelligence agencies.

With Reuters.