I’ve written here from time to time about security threats to our growing digital infrastructure. Computers are essential parts of the systems that control power stations and the power grid, telecommunications, air traffic, dams, and many other critical bits of our society’s infrastructure. These systems, sometimes called SCADA systems (for Supervisory Control and Data Acquisition), are often connected to the Internet, though some of them were designed for an era of private networking. Even those systems developed more recently may carry a legacy of design asumptions and implementation techniques that leads to security vulnerabilities. The impact of the Stuxnet worm is evidence that these scurity concerns are not overblown.
The branch of the US Department of Homeland Security that oversees critical infrastructure has warned power utilities, railroad operators, and other large industrial players of a weakness in a widely used router that leaves them open to tampering by untrusted employees.
The routers in question are manufactured by the US firm GarrettCom; according to the advisory, they contain an undocumented ‘factory’ account with a hard-coded default password. Anyone with login access to the router could exploit this flaw to gain full administrative privileges.
The vulnerability was discovered by Justin Clarke, a researcher with Cylance, a firm that specializes in the security of industrial control systems. Cylance has also published an advisory on the vulnerability.
According to the US-CERT advisory, GarrettCom has developed a patch that mitigates the flaw; users of the affected devices are urged to install the patch as soon as possible.