09 March 2021

A Perfectly Bad Security Problem

And it also begs the question, "Why do you want to put everything on the Public Internet?" Hard-coded key vulnerability in Logix PLCs has severity score of 10 out of 10

10 out 10 is a hard score to get. 9.8 out of 10, sure. Steve Gibson of Security Now said it is like the Olympics. It is hard to get that score of 10.

Hardware that is widely used to control equipment in factories and other industrial settings can be remotely commandeered by exploiting a newly disclosed vulnerability that has a severity score of 10 out of 10.

The vulnerability is found in programmable logic controllers from Rockwell Automation that are marketed under the Logix brand. These devices, which range from the size of a small toaster to a large bread box or even bigger, help control equipment and processes on assembly lines and in other manufacturing environments.

This is really bad. EVERY Rockwell Automation's Logix PLC has the same, now publicly known, hard-coded password. Why? Because executives don't want to spend money on security. And besides who is ever going to figure this out? You engineers always want to spend money on something.

Today programmable logic controllers are everywhere you have a process you want to control. The types of places you might find a PLC: manufacturing lines, pharmaceutical plants, power plants, water treatment plants. I wouldn't be surprised to discover they are in cars and accessible via the diagnostic port.

2 comments:

  1. why would a plant (manufacturing lines, pharmaceutical plants, power plants, water treatment plants,etc) not be air gapped? holy shit, this is like security 101.

    the internet of things is a STUPID idea.

    ReplyDelete
    Replies
    1. That is SO Hard. To air-gap something.

      Then I have to PAY to have at least 2 people on site all the time. And I have to PAY my engineers to go out to the plant if something comes up at 3AM.

      And the average corporate executive hates to PAY for anything but refuses to pay for stuff they don't understand, and what they understand about security is a joke.

      Delete

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.