The U.S. government has confirmed a researcher’s report that networking equipment from a Siemens subsidiary, RuggedCom, uses a single encryption key that can be exploited and cracked to reveal the data being transferred.
The US-CERT bulletin advises that data center operators minimize network control exposure for RuggedCom switches and system devices, secure them with firewalls, and—only if necessary—remotely access them via a virtual private network.
The vulnerability is considered serious, if only because customers who tend to buy RuggedCom equipment tend to be power companies. Following the Stuxnet attacks on uranium enrichment plants in Iran, law enforcement has focused on similar potential threats to U.S. infrastructure systems. Recent outbreaks of the Flame and Shamoon viruses (the latter a possible variant of the former) have underscored the danger.
Security researcher Justin W. Clarke revealed the vulnerability at a security conference in Los Angeles, where he said he had researched possible flaws in the RuggedCom system in his spare time.
Clarke discovered that the RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch could be identified within RuggedCom’s Rugged Operating System (ROS). Since the key is hard-wired into the system, an intruder with physical access could exploit the vulnerability to decrypt traffic through the device.
In turn, that could lead to a security breach where data is captured or possibly re-routed to some other location. ICS-CERT believes that the breach is also remotely exploitable, which is why the CERT recommends that data center operators secure the equipment via a firewall or VPN.
“If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you,” Clarke said, according to a BBC report. Clarke did not offer any further updates via his blog or social-networking accounts.
ICS-CERT reported that RuggedCom had been notified of the problem, but company has not yet issued a statement confirming or denying the ICS-CERT bulletin.
In May, Clarke also discovered a vulnerability with the RuggedCom equipment, which was likewise documented in a ICS-CERT bulletin; the company had included a “factory” account and weak cryptography that could be exploited remotely to achieve complete administrative control of the device. On June 19, Ruggedcom released version 3.11.0 of its Rugged OS, which patched the vulnerability.
Image: Tatiana Popova/Shutterstock.com