Many years ago, I was hired to penetration-test a customer's IBM AS/400 system, and the system administrator admonished me for even trying. "AS/400s aren't like cheap and insecure little PC systems," he argued. "They're built from the ground up to be secure."
As he completed his last sentence, I logged into his system and took complete control of it. He had not changed the default account password. It had been left as is for almost 20 years. His system was contactable over the Internet, so I had to wonder, as his mouth dropped open, if I'd been the first to try the obvious.
[ Download Roger Grimes's "Data Loss Prevention Deep Dive" PDF expert guide today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
This anecdote came to mind not long ago as I read about more SCADA (supervisory control and data acquisition) systems with hard-coded passwords. Legacy systems are often the culprit, but as the Stuxnet worm showed last year, even modern SCADA systems are vulnerable. More recently, a hacker going by the handle of prOF claims to have hacked into a South Houston waterworks SCADA system because it was easily findable on the Internet and had a 3-character password. Why is a public waterworks system using 3-character passwords? Why are there SCADA systems allowing 3-character passwords?
Legacy systems don't get a password pass
Most vendors ship software and hardware with default admin logon names and passwords. The better vendors force users to choose a new password when logging in for the first time, require strong passwords, and force adequate password updates after that. The worst vendors have products with hard-coded administrative passwords that cannot be changed.
The risk posed by hard-coded passwords is nothing new -- it's No. 7 on the top 25 list of dangerous software errors. SCADA systems are more at risk for a couple of reasons: The SCADA industry, in general, is at least a few years behind the rest of the software industry in writing secure code, and SCADA systems often come with long depreciation schedules. Whereas organizations might upgrade office PCs every three to five years, they would usually keep the same SCADA system running for decades.
SCADA environments are full of devices and appliances with supposedly secure operating systems. However, when examined, most fall over just as easily as their comparable software counterparts. Most contain old versions of OSes (such as Windows 3.1 and NT) and software, with aged, publicly known exploits; they also tend to have easy-to-find security bypasses, cross-site-scripting vulnerabilities, or any other software programming error that might be made in software.