Why ICS-CERT is wrong about default passwords!

Back in April I disclosed some vulnerabilities to ICS-CERT a division of the US Department of Homeland Security. One of the issues was a default password in an Industrial Control System (ICS) that did Solar power generation. ICS-CERT replied that a default password was not considered a vulnerability.

After analyzing the installation manual, we found that though there is a default password for this device, the manual clearly tells how to change it. We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability.

I understand why someone would say this but not in 2013! Yeah an admin can change it but in reality they don’t seem to very often! When I have time I poke around on Shodan looking at the saved searches other people do and a lot of them are related to SCADA or ICS systems. In many cases the saved search notes the default password. Sometimes I try then on a system just to see if it works and there are always some systems that have the default in place. I did a lot of past blogs on these vulnerabilities and there are tons of defaults out there that haven’t been changed. ICS-CERT says an admin can change it but I say that if the program doesn’t force them to change it or make a random password for the admin it should be considered a vulnerability! I mean come on whats more dangerous a reflected XSS that the admin has to click on to disclose credentials or just being able to log in as the admin without sending them a phishing mail??

Advertisements

Tags: ,

One Response to “Why ICS-CERT is wrong about default passwords!”

  1. Default Passwords… | Extensive Security Says:

    […] that was a surprise: the ICS-CERT obviously has the opinion, that default passwords are no vulnerability. Maybe it wouldn't be as bad if someone else says such a (strange) thing – but it was the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: