Password Reuse – Control Networks Double the Risk

Last week Jason Holcomb at Digital Bond wrote a great article called “Everybody Knows Your Passwords” on the issues of default passwords. In it he talked about how some control system vendors continue to bury hidden “default” passwords in their system. As Stuxnet illustrated, these passwords can be later accessed by malware or hackers, making them the perfect backdoor into a company’s operations.

In this week’s blog I will add two more issues to this whole password “Hash Up” (sorry for the bad pun) that is a danger to control system security.

Password Re-use

The first is the problem of password reuse in control systems. Password reuse is the habit we all have of using the same password on multiple systems. In the IT world it is causing considerable concern because many people use the same password for signing up for a free software download site as they use for accessing their bank account.

Besides the fact you get a very undesirable “one ring to rule them all” effect, there is the real danger that the free software download site might actually sell your password details to someone else so they can drain your bank account. If you want to learn more about this not-so-funny problem in a very fun format, check out xkcd’s comic strip.

http://www.tofinosecurity.com/sites/default/files/xkcd_password_reuse.png

Plain Text Transmission over Control Networks

Before I discuss why password reuse is an extra serious problem for control systems, I want to bring up issue number two – transmission of passwords in plain text over the network. What many people don’t realize is that most popular protocols used on control systems, including HTTP, telnet, SNMPv1 and FTP, along with many mainstream control systems, happily send passwords over the network in an easily readable form. In other words, if I can sniff your network while you log into your PLC, I can read your password.

Now if your programming station is on the same switch as your PLC, that might just be tolerable, as it isn’t always easy for an attacker to get access directly to the control LAN. But if you are accessing the PLC from another part of the plant, or even worse, from another site, then this is asking for trouble. Unfortunately, because few control products offer any capability to change protocols (especially the protocols used for programming) there is little you can do but encrypt all traffic leaving the control network using a VPN technology.

A Hacker’s Perfect Storm

Now combine vulnerability #1 and vulnerability #2 and you have the hacker’s perfect storm. First the hacker is able to easily determine the password for a controller that has an inherently weak password system – that is bad enough. But now the hacker will try the same password against more robust systems, such as a computer on a Windows domain, to see if it will work there. And if it does, the attacker now potentially has access to the whole system, often including equipment and services across the entire company.

Password Precautions

As I have mentioned in earlier blogs, there is no easy fix for this but to be aware of which systems do send passwords in the clear. Most vendors won’t tell you this, but it is easy to find out for yourself. Install a sniffer like Wireshark in a workstation and then while you capture the traffic leaving your computer, log into each of the control products you use in your plant. Next use the “Find” command in the sniffer to search the capture file for the passwords you just used on your control systems. If you can find them in the traffic file then so could a worm or hacker.

Once you know which systems have passwords sent in the clear, flag them as high risk systems and do not use those passwords for any other purpose. Also make sure that those systems are never accessed outside the control LAN, except over a VPN link that will encrypt the traffic.

I hope that people will really think before reusing their “favorite” password, and consider the risks involved. What precautions are you taking with your business when it comes to password security? Let us know in the comments below.

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

1

1. A current practice requires insertion of digits (0-9) amongst letters in a password, in an attempt to prevent use of guessable passwords. This causes people to write the password down, because it is less memorable. The written password can often be found in a draw adjacent to the user's computer.

2. Working on national-level projects such as customs and population registry, and examining the security-levels of these projects, I once found passwords in a waste-paper basket behind a computer, torn off from a teletype terminal, after the user had logged-on in the morning.

3. Having received authority to attempt to crack a national-level project, I did so in 40 minutes by locating the program's source-code, deleting the lines of code calling the Password Routines, and recompiling. Worked a treat. Obviously an inside job, but for installations at the level of Stuxnet targets, equally obviously a consideration.

Add new comment