back to article Schneider Electric building manager bug allows security bypass

Schneider Electric's Struxureware building management system has received a fix to address its default credentials that could have led to nasty consequences. The product called "Struxureware" – which the company says is used in hospitals, offices, data centres, utilities, the finance industry and a bunch of other verticals – …

  1. Lysenko

    “allow Admin users to circumvent access controls”

    That's some highly questionable phrasing. Admin users define the access controls (by design) so obviously they can change them[1]. Calling that "circumvention" seems a bit of a reach.

    Shipping with weak default credentials is a valid observation, but also common practice. If you are going to ship a device with any standardized default credentials then it makes no difference how complicated they are because anyone can read your website.

    [1] I'm familiar with (wrote) an app for a similar system that uses admin access to issue/revoke ACLs every 20 seconds.

    1. Anonymous Coward
      Anonymous Coward

      Re: “allow Admin users to circumvent access controls”

      "If you are going to ship a device with any standardized default credentials"

      Why does a device need to ship with default credentials? Why not a mandatory setup question before first use?

      Ill-advised use of default credentials is a problem that real computers with real OSes sorted maybe three decades ago. Sadly, it seems like that's long enough for people to (a) forget the problem (b) forget the solution.

      1. JonP

        Re: “allow Admin users to circumvent access controls”

        Default credentials makes it much easier to install and test equipment like this, especially if you've got a number of different people all needing to tweak things. If you use proper secure credentials too early you end up having to distribute them to more people than you might want to and then have to change them all when you finish, it's not worth the hassle.

        Of course when you're done you still need to make sure you've setup proper credentials, but hopefully you'll have a procedure in place to make sure that gets done...

      2. Lysenko

        Why not a mandatory setup question before first use?

        What is the point of that? The answer would have to be hard coded. These things have to work on a private LAN (preferably air gapped) with no capability to contact certificate authorities or reference time servers etc.

        As for the "real computers/OSs" bit, as I recall this system uses a MIPs SoM running Linux (a bit like a Raspberry Pi but slower, no GFX, less memory and more UARTs). Comparing it to a "real computer" is invalid. It is more like a high end washing machine in computing capability terms.

        1. Anonymous Coward
          Anonymous Coward

          Re: Why not a mandatory setup question before first use?

          " Comparing it to a "real computer" is invalid. "

          Correct, which is why I was comparing not the system but the problem and the solution.

          The problem: identical default credentials on every system of this kind around the world.

          The solution back then: ask the installer what password to use. Other more recent options might include a factory-configured password based on something system-specific printed on the box, e.g. an Ethernet MAC address.

          But hey, if people want to continue to design and ship stuff with defective by design security, a problem which has been solved for the last decade or maybe three, why not, there are no risks for the specifiers, designers, manufacturers, or vendors, and there are no consequences for them, and product liability laws are an irrelevance which don't apply to anything with software in it (or do they?).

          Why is anybody even trying to defend the indefensible practice of globally identical default credentials? Do these people work for one of the many suppliers involved?

  2. David Roberts Silver badge

    Admin user with a command prompt

    Can do stuff.

    Not earth shattering stuff then?

    I would guess that if you have a malign admin user you have all sorts of security problems.

    Edit: see Lysenko beat me to it.

  3. Ole Juul

    with or without?

    The ICS-CERT advisory notes that it's exploitable without a “low skill set”.

    Surely they don't mean to include no skill set at all.

    1. Brewster's Angle Grinder Silver badge

      Re: with or without?

      My best stab at a parse was "exploitation requires a high skill set". But "exploitable without skills" seems a better reading.

  4. allthecoolshortnamesweretaken

    "Data centre doors around the world could pop open at the click of an Enter key"

    Surely, only data centres without a proper BOFH?

    1. DropBear

      Naaah, the door-hacking would probably work equally well all across the board. The difference would be the bobcats springing forward once the doors are open with the BOFH-administered ones...

  5. All names Taken
    Facepalm

    Super User

    Maybe there should be three classes of user in general IT use:

    user

    admin user

    super user?

    It seems sensible not to allow an admin user access to super user type of stuff?

    And when it gets to secure or super secure IT use maybe there should be more classes defined or limited by allowable functions/purpose of the account?

    Just saying that's all.

    1. Down not across Silver badge

      Re: Super User

      So RBAC with separation of duties.

      Just as an example Solaris has had that available since Solaris 8.

  6. Anonymous Coward
    Anonymous Coward

    Hang on, does that mean..

    .. those Hollywood movies with people hacking into building controls are actually REALISTIC?

    Now I've heard it all.

  7. All names Taken
    Facepalm

    I mean like ...

    ... should an admin user even have access to installed apps designated for ordinary users to use like?

    And should an admin user be able to put stuff globally available just because the account is an admin account?

    I mean like, come on...

  8. Anonymous Coward
    Anonymous Coward

    My 2 cents

    Just to be clear as the publisher of this article fails to say is that StruxureWare is NOT an access system, it has no concept of access control, and has no connection to a sites door access system. StruxureWare is at this time purely BMS. If you are stupid enough to expose the system to the outside world and not set up strong user login. then i'm sorry but you shouldn't have anything to do with your networks security.

    StruxureWare BMS is still a very new product which is under constant development, if you have a problem with the product then feel free to contact the company who makes it as i'm sure they will welcome feedback and enhancement suggestions. All new products have to start somewhere, just look at Microsoft windows, I need say no more on that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021