As a process chemist I tend to think of ‘control systems’ as
those systems used in a chemical plant to control operations; the latest
advisory published by ICS-CERT reminds us that there are all sorts of systems
controlled by software. Yesterday ICS-CERT published an advisory on a traffic
control system from Post Oak. Independent researchers
Nadia Heninger, J.
Alex Haldermanb, Zakir Durumeric, and Eric Wustrow identified an insufficient
entropy vulnerability in the Bluetooth Reader Traffic System.
It would take a highly skilled attacker to exploit this
vulnerability, according to the advisory, but it would allow a
man-in-the-middle attack that could provide unauthorized access to the system.
There is no known publicly-available exploit for this vulnerability.
Another Remote Fix
Post Oak has developed a patch for the system that will mitigate
this vulnerability, though the advisory does not explicitly say that anyone has
independently verified the efficacy of the patch. That notification is
frequently provided (either positively or negatively) in these ICS-CERT
advisories, the lack of a notice one way or another is confusing. There is,
however, another potentially disturbing statement about this patch in the advisory
(page 3):
“The patch will be installed on all
new devices when initially configured. Existing equipment will be patched by remote access
[emphasis added] and upgraded to the latest firmware.”
This certainly sounds to me like Post Oak is going to link
to installed devices and upgrade the firmware pretty much without owner
intervention. In some ways that will certainly be a boon to some owners; they
won’t have to get involved in something they don’t really understand. Now
traffic control systems engineers may be different from the chemical control
systems engineers that I’ve known, but I’m not sure that I would like having
someone mess with my system (no matter how beneficially) without my specific
authorization.
Posts
No comments:
Post a Comment