This is the sort of story I do not want to read:
In the world of computer systems used to flip switches, open valves, and control other equipment inside giant electrical substations and railroad communications systems, you'd think the networking gear would be locked down tightly to prevent tampering by vandals. But for customers of Ontario, Canada-based RuggedCom, there's a good chance those Internet-connected devices have backdoors that make unauthorized access a point-and-click exercise.
That's because equipment running RuggedCom's Rugged Operating System has an undocumented account that can't be modified and a password that's trivial to crack. What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.
Yeah, that's nice.
This sort of gear is everywhere in the industrial world. Hardware and software of this general design controls everything, from valves at your wastewater plant (eeeewwwwww if they're inappropriately changed) to switchgear at power plants (look at the pretty light show!) and perhaps things like valves and controls at chemical plants ("kaboom")
In an early part of my professional career I wrote software to handle industrial equipment like this, specifically in the satellite earth-station industry (e.g. amplifiers, antennas, waveguide switches, etc.) This was back before the Internet and the access was typically local and over a serial terminal. But you could plug a modem into it if you wanted to, and there were password facilities allowed -- and there was no back door "default" password either. The only way to "clear" a password you lost was to perform a non-volatile memory reset, and doing that required physical access to the device.
Any of this sort of gear should never be connected to a public network like the Internet. You'd think people would take care of this risk, but they don't always do it. Maintenance has to be done, someone needs remote access to something, they come in via what they think is an encrypted link or "secure" interconnection and something goes wrong or (just as frequently) someone gets lazy.
The bad news here is that it appears that this particular exploit was discovered and the firm responsible notified more than a year ago.
They did nothing.
So now it's in the "wild", although if these guys found it and tried to notify the company a year ago and got stiff-armed the "bad guys" have probably been known about it for quite a while longer.
This is the sort of risk that is flatly unacceptable, yet all too common.
How hardware and software with this sort of back door gets certified for purchase by sensitive users such as chemical plants, military or nuclear facilities is a question that deserves answers -- in public at the Congressional level -- as it bears directly on national security.
I am frequently amazed at how stupid people who ought to know better actually are. Or, as is often said by people who try to make things "idiot proof": The problem is that they keep coming up with better idiots!
Where We Are, Where We're Heading (2013) - The annual 2013 Ticker
The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.
NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.
The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.
Looking for "The Best of Market Ticker"? Check out Ticker Classics.
Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.
The Market Ticker content may be reproduced or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media or for commercial use.
Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.