The RuggedCom software, known as the Rugged Operating System (ROS), is used to control traffic control systems, railroad communications systems, power plants, electrical substations, and US military sites, according to a blog post by JC on Monday.
An undocumented backdoor account exists in ROS; the username for the account, which cannot be disabled, is “factory” and its password is “dynamically generated based on the device’s MAC address”, JC explained. “Multiple attempts have been made in the past 12 months to have this backdoor removed and customers notified”, JC wrote in the blog post. RuggedCom was first notified in April 2011 about the vulnerability, but so far has not taken action, JC noted.
Kaspersky Lab’s Threatpost identified the author as Justin Clarke, an independent security researcher based in San Francisco. Clarke told Threatpost that he purchased three RuggedCom devices, including RS400 and RS900 models on eBay and obtained a copy of the company's firmware, which he was able to reverse engineer. Developer comments hidden in the firmware revealed references to the "factory" account, and further research revealed the code for generating the password, he said.
The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued an alert about the RuggedCom vulnerability on Wednesday. The alert explained that the exploit code affects RuggedSwitch and RuggedServer devices using ROS.
“RuggedCom is advising ROS customers to disable the rsh (remote shell) service and set the number of Telnet connections allowed to 0. The researcher has stated that the backdoor will not work over ssh (secure shell) or the web interface. With these recommendations, the back door will only be accessible via the local serial interface (RS232). ICS-CERT has not fully verified these mitigations”, the advisory said.