Thursday, 10 May 2012
Curious researcher may have deflected major cyber attack
Posted today by Smart Grid News. cyber security researcher who had bought RuggedCom equipment and tested it found a critical security vulnerability. He notified the company about the issue last April, but heard nothing back for a year. When he contacted the company about the issue again in mid-April of this year, he was told it would need three more weeks to notify its customers, according to a story in the Christian Science Monitor. What the researcher, Justin W. Clarke, found was a back door in the product he tested, "...a secret factory log-in that could allow the manufacturer to enter the equipment's control systems without anyone knowing," according to the news article. He also discovered the password protecting the back door could be easily hacked, which could jeopardize electric grids, railroads and military systems and leave them vulnerable. Afraid the company was going to do nothing, he reported the security gap to the U.S. Computer Emergency Readiness Team (US-CERT), a federal agency under the Department of Homeland Security charged with maintaining the country's cyber security posture and managing security risks, among other things. CERT followed up with a vulnerability warning on April 24. From there, it became a hot topic among security bloggers. A few days later, RuggedCom issued a press release saying the vulnerability applied to ROM-based equipment only and not other products. The company also pledged that within the following few weeks that it would release new versions of its ROS firmware gets rid of the undocumented factory account. The company also issued a polite thank you to Clarke. Siemens acquired RuggedCom earlier this year.