Mission-critical routers used to control electric substations and other critical infrastructure are in the process of updating to remove a previously undocumented backdoor that could allow vandals to hijack the devices, RuggedCom said.
The announcement by the Ontario, Canada-based company came a few days after reports surfaced about the company’s entire line of devices running its Rugged Operating System (ROS) contained a backdoor with an easily determined password.
The backdoor, which can’t be disabled, had not been publicly acknowledged by the company until now, leaving the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable.
The previously secret account uses the login ID and a password recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script. An attacker could discover the backdoor on devices running early versions of Rugged OS over the Internet using secure Web browser connections, secure shell, telnet, remote shell, or serial console. On versions 3.3 and higher of the OS only telnet, remote shell, and serial console would work. Raising the risk of unauthorized access, many log in screens display the device’s MAC address before a user enters valid credentials. Users can disable telnet and rsh in all versions greater than 3.3.
“In addition to eliminating the factory backdoor, telnet and rsh services will be disabled by default,” the company’s read. “This change will result in newly shipped ROS devices having telnet and rsh disabled. It also results in telnet and rsh being disabled after loading factory default settings. This change has no impact on the operational status of telnet or rsh after a firmware upgrade.”
RuggedCom devices frequently go in electric substations, traffic control cabinets, and other locations where dust, extreme heat and cold, and other difficult environmental conditions take a toll on hardware. In addition to housing in areas difficult to physically access, the devices frequently see use in controling mission-critical equipment, creating a hardship for those who must update.
Compounding the difficulty of updating, the changes will occur to Rugged OS versions 3.7 and higher, a limitation will require users of older systems to upgrade to newer versions. The updates will be available through RuggedCom’s customer support channel. The company said it will issue another bulletin with additional details in a few weeks.