ICS-CERT Warns of Backdoors in Standard Network Module

ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found.

Backdoors in industrial control systems

These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar backdoor vulnerabilities in Siemens equipment.

We find these types vulnerabilities fairly often when we scan vendor code on behalf of our customers at Veracode. Our recent State of Software Security Report vol. 4 detailed the findings. We didn’t find these backdoors in internally developed, outsourced, or open source applications. We did find backdoors in 3% of software vendor developed code.

This chart above is the result of our static and dynamic analysis of thousands of different applications over the preceding 18 month period.

Vendors add this backdoor code because it lowers their support costs. Unfortunately it is at the expense of the customer’s risk. It is easier for a vendor support technician to remotely diagnose a problem if they know a “support” password to your system or if there is a debugging interface exposed to the network. No need to fly on site or communicate time consuming “remote hands” commands to a local IT employee.

We have seen an uptick in customers performing 3rd party scans on the software they are purchasing. A few years ago it was only our financial services customers that were concerned about backdoors and vulnerabilities in the code they were purchasing. Now we are seeing a much broader range of industry verticals.

The chart above shows we have 8 different industry types including: aerospace & defense and oil & gas, scanning 3rd party code. We are still not seeing industrial control equipment but with the news this year I think it is only a matter of time. 3rd party analysis will grow as operators of code continue the trend to hold vendors accountable.

Backdoor testing should always include static code scanning. How can you find a static password or cryptography key without it? Ideally this is done on the product binary. Vendors are loath to give up source code, even to a 3rd party, and even if they do they might not give you the exact source code or all of the source code. Binary scanning and backdoor testing go hand in hand so Veracode has done research on the subject of backdoor and implemented as much as was practical in our binary static analysis. For further reading on testing apps for backdoors see our “Static Detection of Application Backdoors” paper which was presented at Black Hat Las Vegas.

caf | December 14, 2011 11:07 pm

Does binary scanning of industrial control equipment tend to mean dismantling the device and removing ROM chips?

Chris Wysopal | December 16, 2011 1:36 am

It could mean scanning firmware but often the systems with the vulnerabilities are running Windows or linux software.

Veracode Blog » Backdoors and Beyond | December 19, 2011 11:10 am

[...] But wait, there’s more… You recently heard our CTO, Chris Wysopal discuss in his blog post the warnings issued by ICS-CERT on backdoors in a standard network module for control systems. The [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post