Seattle, WA ― May 23, 2013 ― IOActive, Inc., a leading provider of application security, compliance and smart grid security services, today announced that company security consultant Ruben Santamarta, uncovered hard-coded user accounts that could act as backdoors in two devices from German industrial automation manufacturer, TURCK. The affected devices from TURCK, which could be exploited remotely, are the BL20 and BL67 Programmable Gateways.
These devices, primarily used in the US, Europe as well as in Asia, are deployed across many industries that include agriculture and food, automotive and critical manufacturing.
“These hard-coded user accounts pose a significant threat to organizations that have deployed the vulnerable TURCK devices. Any attacker with knowledge of the credentials can effectively remotely control the devices and reap havoc on the network – easily disrupting or shutting down critical production lines. Affected organizations should immediately apply the updated firmware from TURCK to remove these backdoors,” said Ruben Santamarta, security consultant for IOActive. “It is both surprising and disappointing that hard-coded user accounts like these continue to crop up in Industrial Control Systems. Vendors and purchasers of such critical technologies should take great care to ensure that similar vulnerabilities do not affect future product lines. The industry as a whole still has a long way to go in implementing secure development lifecycle principles.”
On Friday 17 May, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory providing firmware mitigation locations associated with these vulnerabilities.
IOActive has also issued its own IOActive Labs Advisory outlining the affected products, the impact and the solution.
Established in 1998, IOActive is an industry leader that offers comprehensive computer security services with specializations in smart grid technologies, software assurance, and compliance. Boasting a well-rounded and diverse clientele, IOActive works with a majority of Global 500 companies including power and utility, hardware, retail, financial, media, aerospace, healthcare, high-tech, and software development organizations. As a home for highly skilled and experienced professionals, IOActive attracts talented consultants who contribute to the growing body of security knowledge by speaking at such elite conferences as Black Hat, Ruxcon, Defcon, BlueHat, CanSec, and WhatTheHack. For more information, visit www.ioactive.com or call +1.866.760.0222.