While it’s good that more remote sensor are communicating with each other, in some cases providing sensitive information in real time, bad security practices among manufacturers of those devices remain –specifically, hard-coding admin passwords. Experts speaking at Black Hat USA 2014 and at DefCon 22, sister security conferences held last week in Las Vegas, say these legacy credentials, especially on life-critical systems, pose serious problems going forward in the growing world of the Internet of Things. Recent examples cited by researchers include devices used in airport screening, satellite communications, medical practices, and industrial control systems.
Vendors defend hard-coding admin passwords into a device because it helps a service person quickly assess problems and make repairs. The assumption has been these devices weren’t interconnected and often located in a secured space. But what happens when that device is out in the field? Or, worse, in a public location? Or connected to a sensitive backend system? Or when someone with computer knowledge attempts to connect to that device, either physically or remotely?
Speaking at Black Hat, Billy Rios, director of threat intelligence at Qualys, described several such devices used by the TSA in airports around the country. One device, Kronos 4500, a time clock, comes with super admin passwords baked into the operating system so technicians can remotely service them. “These are essentially root on the devices,” Rios told the security conference attendees .
Another device used by the TSA, the Morpho Itemiser 3, an explosive trace scanner, also contains a hard-coded credentials, and as a result of Rios’ research warranted in an alert from US CERT on July 24, 2014. He noted that the TSA no longer uses the model that contains a hard-coded password and that the manufacturer will be removing the passwords from its older models in the future. A representative of Morpho was in the Black Hat audience. None of the other manufacturers mentioned sent representatives to the Rios talk.
The underlying problem, Rios said, is these devices connect to the Internet if not also TSANet, an internal network. Rios told the audience that he couldn’t—for legal reasons—confirm that these devices had network access, but if someone else physically obtained a device (as he did) and found the super admin password (as he did), they could possibly access TSANet.
Also at Black Hat, Ruben Santamarta, principal security consultant at IOActive, showed how hard-coded credentials could be found in satellite communication systems used for air, sea or land communication. Systems within his scope of research include those from Cobham, Harris, Hughes and Iridium. Harris spokesman Jim Burke told the Reuters news service the company had reviewed Santamarta’s paper and “… concluded that the risk of compromise is very small,” he said.
Santamarta told the Black Hat audience the issues were well-known yet are still present today. One, CVE-2013-6034 is rated by the MITRE organization as having a low exploitability but a high severity. Santamarta said it —along with nearly a dozen others – remains unpatched.
Medical devices, too, are vulnerable. Last summer the US ICS-CERT issued a an alert after Rios and colleague Terry McCorkle of Cylance discovered credentials baked into the firmware of “roughly 300 medical devices across approximately 40 vendors.” These, he said, were used in hospitals and in healthcare facilities worldwide and might provide an attacker access to healthcare internal networks.
Industrial Control Systems and SCADA devices are also not immune. Recent Black Hat conferences have presented compromises of these systems, some involving hardened credentials. At this year’s DefCon conference, attendees were able to hack into a model water station and a model smart grid, sometimes using password credentials included in the firmware. The use of hard-coded credentials helped the Stuxnet virus spread among specific industrial control systems back in 2010.
Clearly it’s time that manufacturers stop hard-coding credentials, customer service benefits aside. The issue has been ranked #7 on the CWE/SANS Top 25 Software Errors list since 2011. Perhaps someone just needs to take the lead.
Rios said at the end of his talk that the TSA might be in that position. The TSA, as a government entity, has enough clout to influence the industry by adopting more stringent security practices. “They have a responsibility to do so, as well,” he told the Black Hat audience.