Private Key Found Embedded In Major SCADA Equipment 105
sl4shd0rk writes "RuggedOS (A Siemens Subsidiary of Flame and Stuxnet fame), an operating system used in mission-critical hardware such as routers and SCADA gear, has been found to contain an embedded private encryption key (PDF). Now that all affected RuggedCom devices are sharing the same key, a compromise on one device gets you the rest for free. If the claims are valid, systems in use which would be affected include U.S. Navy, petroleum giant Chevron, and the Wisconsin Department of Transportation. The SCADA gear which RuggedOS typically runs on is often connected to machinery controlling electrical substations, traffic control systems, and other critical infrastructure. This is the second security nightmare for RuggedCom this year, the first being the discovery of a backdoor containing a non-modifiable account."
Of course it has a private key (Score:5, Insightful)
That part isn't the story. The story is the fact that they all have the same one. That part is insanity. Without key lifecycle management, including creation, distribution, and revocation, you might as well not use asymmetric encryption at all.
Do I even want to know? (Score:4, Insightful)
What possible reason would there be to have a shared private key among all devices? Even if there is some (weird, and probably not a good idea) requirement that it be identical across an entire user site, that should be part of a programming/keyfill process. If uniqueness is good, it should just generate a key on first boot...
Re:Rule One (Score:5, Insightful)
No problem (Score:4, Insightful)
For a few million dollars Siemens will quickly patch it.
Re:Well... Surprise! Surprise! Surprise! (Score:5, Insightful)
And what do you want to bet that the backdoor came from an unfriendly foreign power in the form of an intern or a contract programmer?
Meh; gross incompetence is far more likely, considering history...