Submission + - Researcher Finds Nearly Two Dozen SCADA Bugs in a Few Hours' Time (threatpost.com)
Trailrunner7 writes: It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work.
Aaron Portnoy, the vice president of research at Exodus, said that finding the flaws wasn't even remotely difficult.
"The most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself," Portnoy said in a blog post.
Portnoy said that he plans to suggest to ICS-CERT that the group consider developing a repository of SCADA software to make it easier for security researchers to do their work.
Aaron Portnoy, the vice president of research at Exodus, said that finding the flaws wasn't even remotely difficult.
"The most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself," Portnoy said in a blog post.
Portnoy said that he plans to suggest to ICS-CERT that the group consider developing a repository of SCADA software to make it easier for security researchers to do their work.