(LiveHacking.Com) – It has been revealed that the RuggedCom Rugged Operating System (ROS), which is used in RuggedCom’s network infrastructure devices, contains a hard-coded user account with a computable password based on the device’s MAC address. The backdoor “factory” account cannot be manually disabled leaving the device open for hackers to gain complete administrative control of any affected device. The revelation was made on the Full Disclosure mailing list along with a simple Perl script to calculate the password when the MAC address is given.
According to a security advisory published by RuggedCom in response to the disclosure: “The secure shell (ssh) and web access (https) do not have the backdoor access as of ROS version 3.3 and above, however telnet, remote shell (rsh) and serial console do have the backdoor access in these versions. Earlier versions of the ROS software (prior to v3.3) have the backdoor access within all these services (ssh, https, telnet, rsh and the serial console).”
The company, which was bought by Siemens in March, will release a new version of ROS in “the next few weeks”. The new version will remove the factory account and disable telnet and rsh by default. Updates will be made available for ROS v3.7, 3.8, 3.9, and 3.10. Any installations using a version of ROS before v3.7 need to upgrade.
The most alarming aspect of this backdoor access is the lack of response by RuggedCom. According to the disclosure, the company was told in April 2011 that the backdoor had been uncovered and the password was computable. In June 2011 they verbally acknowledged the existence of the of backdoor and then ceased all communication. In February 2012 US-CERT was notified.
RuggedCom equipment, which is marketed as having “industrial strength” and designed for “mission-critical applications in harsh environments”, is installed in traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites.