It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Newly Disclosed "Back-Door" Vulnerability Built Into RuggedCom's "Mission-Critical" Switches An

page: 1
4

log in

join
share:

posted on Apr, 26 2012 @ 02:37 AM
link   
RuggedCom is a Canadian company (recently acquired by Siemens) that manufactures electronic equipment used in sensitive military and industrial "mission-critical" communication networks that operate power grids, railway traffic control systems and manufacturing facilities. Apparently, all versions of the Rugged Operating System, created by RuggedCom, had a back-door vulnerability that cannot be disabled. It featured a static username, that could not be changed by customers, and a dynamically generated password based on the device's MAC address. This built-in feature was not disclosed to customers using their devices.

RuggedCom's inclusion of the back-door without disclosure is irresponsible, at best, and perhaps even criminal. It begs the question: Was it built-in under the direct orders of a Government or was it the result of an internally-made corporate decision? Stuxnet and Duqu were two things that immediately came to my mind. The recent Siemens acquisition of RuggedCom also adds an interesting twist to the plot. I'm simply thankful that the vulnerability wasn't discovered and exploited to ill effect. Thanks goes out to Justin Clarke for finding and exposing this problem.

Link:
www.wired.com...




posted on Apr, 26 2012 @ 02:51 AM
link   

Originally posted by BULLPIN

RuggedCom is a Canadian company (recently acquired by Siemens) that manufactures electronic equipment used in sensitive military and industrial "mission-critical" communication networks that operate power grids, railway traffic control systems and manufacturing facilities. Apparently, all versions of the Rugged Operating System, created by RuggedCom, had a back-door vulnerability that cannot be disabled. It featured a static username, that could not be changed by customers, and a dynamically generated password based on the device's MAC address. This built-in feature was not disclosed to customers using their devices.

RuggedCom's inclusion of the back-door without disclosure is irresponsible, at best, and perhaps even criminal. It begs the question: Was it built-in under the direct orders of a Government or was it the result of an internally-made corporate decision? Stuxnet and Duqu were two things that immediately came to my mind. The recent Siemens acquisition of RuggedCom also adds an interesting twist to the plot. I'm simply thankful that the vulnerability wasn't discovered and exploited to ill effect. Thanks goes out to Justin Clarke for finding and exposing this problem.

Link:
www.wired.com...


I think if you are trying to put blame, should treat the corporation and government as the same entity.

It's clearly an intentional act. Luckily today the government can claim no responsibility for the acts of corporations and corporations claim no responsibility for government acts.



posted on Apr, 26 2012 @ 02:53 AM
link   
reply to post by BULLPIN
 


I do tend to believe anything electronic has a "back door" in it. It's just safer to think that way, in this day and age.

Either the companies who designed/built such devices want the access, or as you hinted, the governments want the access for their own reasons.

Either way, it's a sad world we live in where things we buy, are not truly ours to own and use as we see fit, without threat or potential for someone else to be spying on us, or accessing our information at will.

Rule #1: Want it to stay private, don't put it in digital format of any sort. Papers can be hidden, 0's and 1's cannot be hidden.



posted on Apr, 26 2012 @ 03:07 AM
link   
reply to post by BULLPIN
 


I guess, in theory, that's what I would do. Ensure I can take control of a product I've designed an manufactured if the situation calls for it.

It'd be a b!tch if someone else found it though and that's what seems to have happened. Even worse if the customer finds out but I guess that depends on the situation. Maybe it's there to protect the customer if their device is hacked and they've lost control over it.

The irony is obvious.



posted on Apr, 26 2012 @ 03:33 AM
link   
alot of stuff like this is coded in to allow the manufacturer access should there be no way for the normal administrators to log in and obviously wouldnt be generally reported as such but known that the manufacturer has the ability to get in even in the event of a system fault

i'd imagine that big sites using this stuff and military buyers would know that such a back door exists but keeping quiet is part of the contract when buying this stuff

when i worked on mainframes there was usually an engineers login which had the ability to be promoted to full admin rights if you knew the password



posted on Apr, 26 2012 @ 04:22 AM
link   
Thank you all for your comments and input. I'm pleased to have them, as this is my first thread, and I was expecting the sound of crickets chirping in an empty theatre.

What bothers me most about RuggedCom's "standard" back-door feature is that we are put at risk, unbeknownst to us, simply to facilitate convenient access to these servers/switches in the event usual routes of access fail, or are otherwise unavailable. On the other hand, one could reasonably argue that such a feature could be used to help save lives, or prevent damage, in the case of an emergency or other anomalous event. There seem to be deeper moral/ethical/philosophical considerations to hash out after a closer inspection of the issues at hand.



posted on Apr, 26 2012 @ 07:35 AM
link   
If you were to lump together all of the other highly illegal or "wrong" things allowed in computer programs initially without the public's knowledge (cookies anyone?) then you have your answer to the who and why.

NSA sends around its wish list to product design teams and the companies comply. No mystery there.



posted on Apr, 26 2012 @ 02:09 PM
link   
reply to post by Aliensun
 


Yeah, what you're saying is certainly true for US based companies. RuggedCom is/was a Canadian company and I wonder if they too are obliged to follow orders from the NSA. Know any good jokes aboot The United States of Canada or Canada being the 51st US State Hahaha. All kidding aside, the "just following orders" inclusion of this backdoor threat doesn't mitigate the risk all of us are unknowingly exposed to. There has got to be a safer and more secure way to accomplish the same objectives as these "secret" unsecured back-doors. I expect more ingenuity from the software engineers developing operating systems for these critical servers and switches. I know we're dead-heads here in North America but geez. If there are not better ways than RuggedCom's simplistic, un-innovative back-doors....we will eventually be screwed. NSA has got to find a better way, even if it means bringing someone with real brain power from India, or China, into the fold.



posted on Apr, 26 2012 @ 02:31 PM
link   
alot of the sites employing this sort of stuff will be remotely managed to keep the cost of maintenance and support down and probably will be directly managed by the manufacturer so it will require top level access to all the kit and at least it had a generated password alot of systems come preshipped with a standard username/password for admin level access and guess what people never think to change them remembers alot of Mitel phone systems had a standard uname/pwd combo that no one ever changed

if the kit has been anywhere near any government system then i'm sure the security bods in the related departments will of had the source code to check out, just like in India they managed to find the source code to various anti viruses on a state owned server



new topics

top topics



 
4

log in

join