[ISN] Equipment Maker Caught Installing Backdoor Vows to Fix Following Public Pressure

From: InfoSec News <alerts_at_private>
Date: Tue, 1 May 2012 00:09:35 -0500 (CDT)

By Kim Zetter
Threat Level
April 30, 2012

After ignoring a serious security vulnerability in its product for at 
least a year, a Canadian company that makes equipment and software for 
critical industrial control systems announced quietly on Friday that it 
would eliminate a backdoor login account in its flagship operating 
system, following public disclosure and pressure.

RuggedCom, which was purchased recently by German-conglomerate Siemens, 
said in the next few weeks it would be releasing new versions of its 
RuggedCom firmware in order to remove the backdoor account in critical 
components used in power grids, railway and traffic control systems, as 
well as military systems.

The company also said in a press release that the update would disable 
telnet and remote shell services by default. The latter were two 
communication vectors that would allow an intruder to discover and 
exploit a vulnerable system.

Critics say the company should never have installed the backdoor, which 
was exposed last week by independent security researcher Justin W. 
Clarke, and has, as a result, exhibited no evidence of security 
awareness in its development process, raising questions about other 
problems its products may contain.


LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
Received on Mon Apr 30 2012 - 22:09:35 PDT

This archive was generated by hypermail 2.2.0 : Mon Apr 30 2012 - 22:07:33 PDT