Today the DHS ICS-CERT published an advisory for a special
kind of control system; the the Sensys Networks traffic sensors. The twin
vulnerabilities covered in the advisory were initially reported by Cesar
Cerrudo of IOActive. Sensys has produced updated versions for two of the three
affected products with the third scheduled to be released later this month.
There is no indication that Cerrudo has been given the opportunity to verify
the efficacy of the mitigation.
The twin vulnerabilities are:
• Download of code without integrity
check - CVE-2014-2378;
and
• Missing encryption of sensitive
data - CVE-2014-2379
ICS-CERT notes that it would take a highly skilled attacker
to exploit these vulnerabilities, but it could be done from a neighboring
network.
The advisory does not mention that the vulnerabilities were
publicly disclosed in an article in Wired
magazine and was presented at the 2014
Infiltrate Conference. Nor does it mention that the vulnerabilities were publicly
denied by Sensys as late as early last month. So this was hardly a
coordinated disclosure and would typically have called for an alert in April.
I can guess why there was no alert from ICS-CERT; this is an
industrial control system only in the widest possible definition of the term.
Which begs the question; why there was an advisory published today? The only
answer that I can think of is that sensor systems like this are destined to
become part of a wider network of fully automated traffic systems that would
include control of vehicles traversing the system. This advisory may serve as an
attempted wake-up call to vehicle control system designers that their
un-hackable systems are just as vulnerable as other control systems.
That may be an important effort (if that was the impetus for
this advisory), but not if it took away from efforts to deal with control
system vulnerabilities that could threaten large populations.
Posts
No comments:
Post a Comment