Ever since Stuxnet managed to disrupt the workings of the Natanz nuclear facility, the security of industrial control systems (ICS) has deservedly received a lot of attention. Many security researchers have begun analyzing the hardware and software employed in critical infrastructure installations, and have discovered a host of vulnerabilities.
The latest of these is an undocumented backdoor that ioActive researcher Reid Wightman discovered in CoDeSys, a piece of software that manages equipment in power plants, military and industrial establishments, and other similarly crucial environments.
The software is ubiquitous, as it is embedded in programmable logic controllers (PLCs) produced and sold by 261 different manufacturers, and allows potential attackers to compromise systems that are connected to the Internet by simply issuing commands through the command shell, without the need to authenticate themselves to it.
Wightman has tested two PLCs so far – one running Microsoft Windows CE on ARM chips, and the other running Linux on Intel-compatible ones – and found them both vulnerable.
He then searched for these devices via the Shodan search engine for finding devices exposed online, and discovered 117 devices connected to the Internet – a figure he suspects would be much higher if he did more refined searches.
According to ars technica, CoDeSys’ designers – 3S-Smart Software Solutions – have released an advisory advising users to set a password.
But, Wightman notes, that does nothing to protect access to the backdoor shell.
Wightman’s former colleagues at Digital Bond have tested “a handful” of the 261 vendor products, and are currently compiling a list of affected (and not) devices. So far, only one of the vendor’s products has passed the test, and that’s because the vendor discovered the flaw and fixed it.
As much as the patching and continuous updating of these small but critical devices is difficult, a solution will have to be found – sooner rather than later.