Backdoor in industrial networking hardware - Update
The Rugged Operating System (ROS), an operating system created by the developers at RuggedCom, contains an undocumented backdoor. RuggedCom, a Siemens subsidiary, specialises in industrial grade networking equipment for "harsh environments" and recommends its switches and servers for use in power plants, oil refineries, military environments and traffic monitoring systems.
A posting on a security mailing list has now documented that all ROS systems have a "factory" user account that, the author says, cannot be disabled. Its password is derived from the hardware address of the network interface; a small Perl script demonstrates how a MAC address of
00-0A-DC-00-00-00 turns into a password called
A user on the same network as the system will have no problem finding out the MAC address. As a workaround until a fix has been released, the US-CERT recommends that the affected systems' Telnet and RSH services be disabled; however, it is unclear whether the backdoor account is also accessible via SSH or HTTPS services.
The timeline of this incident is particularly troubling for customers concerned about timely fixes, as RuggedCom appears to have been contacted by the discoverer of the backdoor over a year ago. Apparently, the company confirmed knowledge of this backdoor but didn't show any willingness to fix it. After the US-CERT was notified and communicated with the Siemens affiliate, also it appears without success, the issue was publicly disclosed. Siemens fully acquired Canadian firm RuggedCom for almost $400 million earlier this year.
Update: RuggedCom has confirmed plans to release new versions of the ROS firmware that will remove the undocumented factory account and disable the telnet and rsh services by default.