Password Reuse – Control Networks Double the Risk
Wednesday, December 15, 2010 @ 09:12 PM gHale
By Eric Byres
Jason Holcomb at Digital Bond wrote a great article called “Everybody Knows Your Passwords” on the issues of default passwords. In it he talked about how some control system vendors continue to bury hidden “default” passwords in their system. As Stuxnet illustrated, these passwords can fall victim to malware or hackers, making them the perfect backdoor into a company’s operations.
This week, I will add two more issues to this whole password “Hash Up” (sorry for the bad pun) that is a danger to control system security.
The first is the problem of password reuse in control systems. Password reuse is the habit we all have of using the same password on multiple systems. In the IT world it is causing considerable concern because people use the same password for signing up for a free software download site as they use for accessing their bank account.
Besides the fact you get a very undesirable “one ring to rule them all” effect, there is the real danger the free software download site might actually sell your password details to someone else so they can drain your bank account. If you want to learn more about this not-so-funny problem in a very fun format, check out xkcd’s comic strip.
Plain Text Transmission over Control Networks
Before I discuss why password reuse is an extra serious problem for control systems, I want to bring up issue number two – transmission of passwords in plain text over the network. What people don’t realize is that most popular protocols used on control systems, including HTTP, telnet, SNMPv1 and FTP, along with mainstream control systems, happily send passwords over the network in an easily readable form. In other words, if I can sniff your network while you log into your PLC, I can read your password.
Now if your programming station is on the same switch as your PLC, that might just be tolerable, as it isn’t always easy for an attacker to get access directly to the control LAN. But if you are accessing the PLC from another part of the plant, or even worse, from another site, then this is asking for trouble. Unfortunately, because few control products offer any capability to change protocols (especially the protocols used for programming) there is little you can do but encrypt all traffic leaving the control network using a VPN technology.
A Hacker’s Perfect Storm
Now combine vulnerability #1 and vulnerability #2 and you have the hacker’s perfect storm. First the hacker is able to easily determine the password for a controller that has an inherently weak password system – that is bad enough. But now the hacker will try the same password against more robust systems, such as a computer on a Windows domain, to see if it will work there. And if it does, the attacker now potentially has access to the whole system, often including equipment and services across the entire company.
There is no easy fix for this but to be aware of which systems do send passwords in the clear. Most vendors won’t tell you this, but it is easy to find out for yourself. Install a sniffer like Wireshark in a workstation and then while you capture the traffic leaving your computer, log into each of the control products you use in your plant. Next use the “Find” command in the sniffer to search the capture file for the passwords you just used on your control systems. If you can find them in the traffic file then so could a worm or hacker.
Once you know which systems have passwords sent in the clear, flag them as high risk systems and do not use those passwords for any other purpose. Also make sure that those systems are never accessed outside the control LAN, except over a VPN link that will encrypt the traffic.
Hopefully people will really think before reusing their “favorite” password, and consider the risks involved. What precautions are you taking with your business when it comes to password security? Let us know at Byres Security.
Eric Byres is the chief technology officer at Byres Security Inc.
Leave a Reply
You must be logged in to post a comment.