ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found.
These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar backdoor vulnerabilities in Siemens equipment.
We find these types vulnerabilities fairly often when we scan vendor code on behalf of our customers at Veracode. Our recent State of Software Security Report vol. 4 detailed the findings. We didn’t find these backdoors in internally developed, outsourced, or open source applications. We did find backdoors in 3% of software vendor developed code.
This chart above is the result of our static and dynamic analysis of thousands of different applications over the preceding 18 month period.
Vendors add this backdoor code because it lowers their support costs. Unfortunately it is at the expense of the customer’s risk. It is easier for a vendor support technician to remotely diagnose a problem if they know a “support” password to your system or if there is a debugging interface exposed to the network. No need to fly on site or communicate time consuming “remote hands” commands to a local IT employee.
We have seen an uptick in customers performing 3rd party scans on the software they are purchasing. A few years ago it was only our financial services customers that were concerned about backdoors and vulnerabilities in the code they were purchasing. Now we are seeing a much broader range of industry verticals.
The chart above shows we have 8 different industry types including: aerospace & defense and oil & gas, scanning 3rd party code. We are still not seeing industrial control equipment but with the news this year I think it is only a matter of time. 3rd party analysis will grow as operators of code continue the trend to hold vendors accountable.
Backdoor testing should always include static code scanning. How can you find a static password or cryptography key without it? Ideally this is done on the product binary. Vendors are loath to give up source code, even to a 3rd party, and even if they do they might not give you the exact source code or all of the source code. Binary scanning and backdoor testing go hand in hand so Veracode has done research on the subject of backdoor and implemented as much as was practical in our binary static analysis. For further reading on testing apps for backdoors see our “Static Detection of Application Backdoors” paper which was presented at Black Hat Las Vegas.
Written by: Chris Wysopal