27 November 2016
Number One vulnerability on the OWASP IoT Top 10 from 2014 was “Insecure Web Interface”. The OWASP IoT Project makes the suggestions below to mitigate these vulnerabilities:
A secure web interface requires:
- Default passwords and ideally default usernames to be changed during initial setup
- Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account
- Ensuring web interface is not susceptible to XSS, SQLi or CSRF
- Ensuring credentials are not exposed in internal or external network traffic
- Ensuring weak passwords are not allowed
- Ensuring account lockout after 3 -5 failed login attempts
Recommendation (1) is much too weak. Customers must be forced to change passwords during initial setup.
Why? In many cases customers are simply not aware of the fact that a device is accessible from the internet. For example, HMI touchscreens are often remote accessible through built-in web services:
SIMATIC HMI Panel
This HMI panel is well configured. For access e.g. to the files a login to the system is required.
But the default login password is publicly available from SIMATIC discussion forums and wasn’t changed during set up of the device:
SIMATIC HMI Panel File System Browser Details
With this, rule (1) above will not prevent any attacks on IIoT devices. Customers must be forced to change passwords as soon as the device network adapter is powered up and connected to the company network or the internet.
Have a good week!
19 November 2016
During my daily check of the Department of Homeland Security’s ICS-CERT Advisory Feed I found an interesting report that deals with a vulnerability in a family of Schneider Electric Power Meters. I researched similar advisories and the corresponding product manuals.
From that I derived some basic rules for the design of Industrial IoT (IIoT) Devices:
- Factory default for all network adapters of IIoT devices is DISABLED.
- As soon as a network adapter is enabled the user is forced to reset the password of the device and of all inbuilt users to non-trivial values. The embedded operating system should check at least against the ‘25 worst passwords’ published in the year of manufacturing.
- A reset to trivial passwords shall be rejected by the embedded operating system.
- The vendors guarantee that IIoT devices are free of Backdoor accounts.
- All network connections shall be encrypted by default.
With this, the risk of cyber-attacks against IIoT devices is dramatically reduced. And, if built-in during design phase, the production costs will increase, if at all, only moderately.
Have a good weekend.