RuggedCom fails key management 101 on Rugged Operating System (ROS)
Last Updated: 2012-08-22 00:16:41 UTC
by Adrien de Beaupre (Version: 1)
The Rugged Operating System (ROS) has a hard coded RSA private key used for SSL/TLS communications. With the private key from a server being a known value it is not difficult to decrypt any traffic to/from the device. This vulnerability could lead to loss of confidentiality, loss of integrity, and loss of availability for a device that should be secure and reliable. This is the same set of devices that had a backdoor account disclosed in April, where the account name was factory and the password was based on the MAC address. These devices are often used in SCADA and process control systems, where they should be adequately protected from any potentially hostile network access. For 'hardened' devices these two significant fails to implement security properly makes you wonder.
The key management fail is from an ICS-CERT ALERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-234-01.pdf
The backdoor and password management fail is here: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-116-01A.pdf
Thanks Andrew for writing in!
Adrien de Beaupré
I will be teaching SANS Sec560 in Montreal this September, and Sec542 in Vancouver this December.