RuggedCom to close industrial networking hardware backdoor

Canadian communications equipment specialist and Siemens affiliate RuggedCom has confirmed that its products based on the Rugged Operating System (ROS) contain an undocumented backdoor. According to RuggedCom VP of Marketing, Jim Slinowsky, versions 3.2.x and earlier of ROS allow backdoor access to the serial console, Secure Shell (SSH), web access (HTTPS), telnet and remote shell (rsh) services; ROS 3.3.x and above disabled telent and rsh.

The company says that it will be releasing new versions of the ROS firmware that will remove the undocumented factory account, and also disable the telnet and rsh services by default. Updates for ROS v3.7, 3.8, 3.9 and 3.10 will be made available "in the next few weeks"; users running versions of ROS older than 3.7 are advised to upgrade to a later one.

However, RuggedCom says that it will "address software updates to older versions of the software on a case by case basis", for those who cannot upgrade. Additionally, it plans to publish a new version of its RuggedExplorer software aimed at making it "a little easier to upgrade firmware and change ROS configuration parameters, which will help users with larger networks deploy our recommendations".

The backdoor in RuggedCom's industrial networking hardware, which it recommends for use in power plants, oil refineries, military environments and traffic monitoring systems, was discovered more than a year ago by security researcher Justin W. Clarke, who directly notified the company of the problem. RuggedCom reportedly confirmed knowledge of the backdoor at the time but then ceased communication with Clarke. Following this, the US-CERT was notified and contacted the firm itself without success, after which the researcher publicly disclosed the problem on 23 April.

Further information about the factory backdoor, including a full list of affected switches and servers, can be found in RuggedCom's security bulletin. The company notes that RuggedRouter (RX1000,RX1100) and RuggedBackBone(RX15xx, RX5000) products which run its Debian Linux-based ROX operating system are not affected.

(crve)