I had an interesting Tweetversation with Chris Jager this afternoon about ICS passwords; default passwords and default usernames.
He started the conversation with this:
“When simple Google dorks (e.g. http://bit.ly/SK43K2 ) give you info that's effective in a large # of installations, we're doing it wrong.”
Now that link is to a Google® search results page using the following search term:
"default password" plc filetype:pdf
That search returned over 8,000 results; many of which were manuals for various control systems and PLCs. I’ve only looked at a couple, but the ones that I have seen all provide default user names and default passwords for accessing the covered systems via user and admin accounts.
Now I know (sarcasm alert) that each and every time these systems was set up the person doing the set-up created new account names and passwords, deleting the default values. Would you believe most of the time? Realistically, I would not be surprised if it was only 50% of the time. For larger, more sophisticated organizations, I would bet it would be closer to 90% of the time. For the smallest organizations, if the integration was being done in house, I would bet it would be closer to 20%. But no one really knows until they try.
Given that there are some number of control systems in the wild with the default users names and passwords active, how would an attacker figure out which ones were accessible? We would just have to turn to another search engine, Shodan, to find the internet facing control systems of the type we were interested in. Using the Shodan information we just start trying to sign into the systems, keeping track of the ones that work.
As I told Chris: “Google + Shodan = Own a bunch of systems - Need to go into business –“
Now it is a little more involved than that, but we do have the owner’s manual to explain how to get into the system. It would just be a matter of typing and clicking lots of times. Most of the time you would not be successful, but there would be enough successes to keep one going. Besides, a real hacker would probably just write a script for testing each site and recording the successes in a nice pretty database.
Owning the Systems
The first thing that you would do when you found an accessible system it to set up your own administrator level account on the system, just in case someone goes back and deletes the default values at some later date. That way, until someone finally realizes that there is an extra account on the system, you have complete access to the control system.
So what would you do with such access? It would depend on what you were interested in. Do you want access to the enterprise system for the organization? This would probably be a good way in; most security systems are set up trying to protect against access from the enterprise network to the control network not the other way around.
Do you want to make some money? Password protect access to the system and sell the password to the owner. Do you want repeat sales? Don’t sell the password for the administrator access to the system. Or just sell the list of systems to people who really want to play dirty.
Do you want revenge for the owner’s mistreatment of you or yours? Do the Stuxnet thing with the PLC and keep reporting the expected outputs and play with the operation of the PLC. The process people will go crazy trying to track down what is playing hob with their production/quality.
Or do you just like to see things go BOOM? Play with the temperature and pressure controls and reporting on critical storage tanks. Or mess with the level reporting controls and high level alarms and watch people overfill storage tanks.
There are lots of things you can do if you own access to a system. All it takes is a little knowledge, a modicum of patience, and a little creativity.