Why leaving easy remote asses is a bad idea

hooey · Jun 4, 2012

A read of this news paper report should not be taken lightly.
http://www.theage.com.au/digital-li...s-industrialsized-dangers-20120604-1zrnw.html

Hooey

Albert LaFrance · Jun 4, 2012

Very interesting article - definitely gives one a lot to think about!

Although the ultimate responsibility for implementing security measures belongs of course to the end user, I've been thinking that manufacturers of internet-attached devices could help by shipping each unit with a unique random password, printed on a removable, scratch-off label attached to the device.

Operaghost · Jun 5, 2012

Easy remote asses? Seriously, no one has commented on that.

I have always found easy remote asses to be useful, fun and exciting but very dangerous. Really need to be careful with the hidden back doors. Leaving the easy remote asses for local asses is never easy to do.

Ok, that's all I've got!

OG

ghettofreeryder · Jun 5, 2012

Albert LaFrance said:
Very interesting article - definitely gives one a lot to think about!

Although the ultimate responsibility for implementing security measures belongs of course to the end user, I've been thinking that manufacturers of internet-attached devices could help by shipping each unit with a unique random password, printed on a removable, scratch-off label attached to the device.

Thats a silly thing to expect of the manufacturer. Keeping the same default username and password is a good idea, because factory resetting can revert back to that username and password, and its on less chunk of code to reside on an embedded device. If the installer cant remember to change a default password, they should not be working that job. Just like integrators who leave unsecured PLCs accessible via web should be fired.

gscure · Jun 5, 2012

Adapt

As with everything in the automation and controls world security has to evolve as other technology evolves. We all know that security was not a concern with a lot of systems that were installed as little as 10 years ago because the devices weren't a target. It is obvious now that there has to be a secure network for industrial controls but it hasn't always been the case.

This is a wake up call that everyone needs to respond to and adapt their systems to prevent security breaches. The way I see it, this is just an opportunity for work. As was noted there are countless number of companies that have no clue how vulnerable they may be and they need to have support and guidance with improving their industrial networks. Even with IT support there could still be weaknesses that can be improved.

I think this is a great opportunity to learn, adapt and improve!

Albert LaFrance · Jun 5, 2012

ghettofreeryder said:
Thats a silly thing to expect of the manufacturer. Keeping the same default username and password is a good idea, because factory resetting can revert back to that username and password, and its on less chunk of code to reside on an embedded device. If the installer cant remember to change a default password, they should not be working that job. Just like integrators who leave unsecured PLCs accessible via web should be fired.

I fully agree that implementing security features is the integrator's and, ultimately, the end-user's responsibility. But I still think that shipping each device with a unique password would provide a valuable layer of security. And the capability of resetting to a common default password, limited to people having physical access to the device (e.g. pressing a RESET button), could still be provided.

Why leaving easy remote asses is a bad idea

hooey

Member

Albert LaFrance

Lifetime Supporting Member

Operaghost

Member

ghettofreeryder

Member

gscure

Member

Albert LaFrance

Lifetime Supporting Member

Similar Topics