Hard-coded passwords put industrial systems at risk

We’ve been dabbling with commercial computing for well over half a century, but we’re still making the same mistakes. One of the biggest howlers is hard-coding passwords directly into our computer and networking systems for hackers to find. Just this month, it happened again.

Schneider Electric, which makes supervisory control and data acquisition (SCADA) equipment, has been shipping products with passwords embedded in the firmware, revealed researchers from German firm OpenSource Security. They found that not only was the password for the Schneider ModiconTM221CE16R logic controller hard-coded into the firmware, but that it could not be changed.

The password in question is a decryption key used to open a project file on the system. The hard-coded encryption key is “SoMachineBasicSoMachineBasicSoMa”, and cannot be changed. By decrypting the XML file with the key, the user password can be found in the decrypted data, which then allows attackers to modify the system.

The researchers finally went public with the information on April 4, after trying to contact Schneider Electric about it. In response, the vendor sent a mea culpa statement to SC Magazine UK, admitting that they messed up, and promising to do better.

What were they thinking?

Insecurities in SCADA systems are bad enough, because they are industrial control systems that keep serious pieces of critical national infrastructure running, ranging from water treatment plants to agricultural systems. These aren’t the kind of things that you want to be vulnerable, and yet hard-coded passwords are a common problem in that world. Siemens has been caught putting hardwired passwords into its own controllers more than once.

Hard-coded passwords also crop up in other products.

Routers are common targets for attack because vendors won’t learn from each others’ mistakes. US-CERT warned that droves of them were discovered to have hard-coded passwords in 2015,

This month, Cisco found that its Mobility Express Software, which ships with some of its Aironet wireless access points, has an admin-level FSH password hard-coded.

Lenovo included the password 12345678 into the Android and Windows versions of its SHAREit file sharing app, and in a clear entry into the “what were they thinking” category, researchers found hard-coded passwords in around 300 medical devices across approximately 40 vendors. This stuff is rampant.

Why do people hard-code passwords in the first place? One reason is that manufacturers just aren’t very good at customizing equipment rolling off the production line. Burning the same thing into every device makes them easier to manage.

Another is that it makes the development process easier. Developers will often need shared access to certain system resources such as internal databases when developing a product, and they’ll frequently embed the access passwords directly in their code to make authentication easier. They always mean to change it later, of course, but it’s often not a priority.

Unfortunately, while all these things make it easier for the vendor, it also makes them easier to hack.

So what’s the answer? One potential solution, according to OWASP, is to use a “first login” mode that requires the user to enter a unique strong password.

This would be a great example of security by design – the concept of designing systems from the ground up with security in mind, rather than bolting it on later as an afterthought. It carries its own challenges, though: what if the user forgets their password? In that case, a factory reset would get them back to first-login mode, presumably.

Hard-coded passwords won’t always be visible to users. They’re buried in the source code, but can still be found by a malicious actor with motivation and the appropriate tools. So what can companies do to try and protect themselves?

Having a word with the vendor is a good place to start. Asking them how easy it would be for the company to recover the device for you in the event of a lost password can reveal whether hard-coded passwords are a known feature. Simply asking the company straight out to confirm that it doesn’t use these things is also a strategy.

However, there is always the chance that the vendor simply may not know about the vulnerability. Trust no one.

Segmenting equipment inside your organization is important, so that if someone gets access to a system, they won’t be able to move laterally without a lot of extra work and other system compromises. Use different subnets, and harden individual systems against attack.

None of this will completely eliminate the risk – in cybersecurity, nothing ever does – but it will at least reduce it.