back to article Schneider Electric still shipping passwords in firmware

That “don't use hard-coded passwords” infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electric's developers' eyes so they don't forget it. Yes, it's happened again, this time on the SCADA vendor's Schneider Modicon TM221CE16R, Firmware 1.3.3.3 – and without new firmware, users are stuck, …

  1. Ole Juul

    Do their buyers care?

    From their site: "Schneider Electric is a global specialist in energy management and automation with operations in more than 100 countries." I'm guessing that the people who buy this service would rather not have their heads all muddled with the realities of the internet.

    1. A Non e-mouse Silver badge

      Re: Do their buyers care?

      In a word: No.

      Having worked with our building maintenance people & their suppliers, building management suppliers' customers don't seem to care or understand about security.

      We've had to stop automatic security probes of BMS equipment because the probes were often causing the equipment to crash in interesting ways.

      We try to help them by segregating their devices, but there's only so much that can do. Our staff still want to access this kit from their desks, and the support companies want to get to the kit remotely.

      1. Doctor Syntax Silver badge
        Pirate

        Re: Do their buyers care?

        "Our staff still want to access this kit from their desks"

        And they're not the only ones.

    2. Solarflare

      Re: Do their buyers care?

      If you spent £x Million on a number of controll systems which have a lifecycle of 15 years (or more), why would the beancounters take you seriously if you went to them and said you need to move to a different supplier, costing £y Million because of a security problem (on a system which "isn't even connected to the corporate network or the internet anyway, it's all segregated!")

      1. Mayhem

        Re: Do their buyers care?

        For the same reason that we're currently involved in a major security upgrade for a big corporate customer.

        On investigation, they found that among many other things, all of their datacentres had relatively unsecured remote access to the controls side, meaning that a hostile third party could for example turn off the chillers. Doesn't take long for a datacentre to go down when it loses cooling.

        And that talks money on a scale that £x million is a very cheap fix.

    3. thames

      Re: Do their buyers care?

      No I don't think buyers would care. I've never seen anyone use the password feature on this category of hardware from any supplier.

  2. Dan 55 Silver badge
    Facepalm

    Yay, industrial control

    Where a ZX81 is considered high technology.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yay, industrial control

      Yes and no. For most uses a pack of relays with discrete logic would do the same thing, it's just cheaper and more reliable to build it with simple controller.

      It doesn't mean ZX81 is considered high technology, it means that using PC-like hardware (or even Arduino etc.) for the task is totally overblown and doesn't make sense in large scale.

      Also there's the reliability to be considered: Industrial stuff lasts at least 15 years while PC lifetime cycle seems to be 3 years and for some manufacturers even less than that.

      1. Dan 55 Silver badge

        Re: Yay, industrial control

        I guess you work in IC, because you talked about the hardware but didn't think about the software.

        There really needs to be some thought about security in IC and IC companies should change their culture when it comes to software design. We shouldn't be hearing about hardcoded passwords and the commands being misinterpreted giving you the keys to the kingdom.

      2. Captain Scarlet Silver badge

        Re: Yay, industrial control

        3 years!

        I've been proven wrong so many times in regards this when I say you need an industrial computer because of dust and heat, yet the bleeding machines (Normally HP SFF) run happily 24x7 for 7-10 years (Much to my annoyance).

  3. Amos1

    Next headline: "Cisco buys Schneider Electric"

    Why not? It seems they both like hard-coded backdoor passwords so half of the integration work is already done.

  4. Kurgan

    Reminds me of some routers

    I have found a similar flaw, almost 20 years ago, on Telindus routers. You could get the password by sending a properly crafted packet to the routers. Remotely.

    Their fix? Xor the password with a fixed key.

    LOL.

  5. fidodogbreath Silver badge
    Facepalm

    the password protecting its applications can be retrieved remotely without authentication

    Well, sure, because what if the sticky note falls off of your monitor?

  6. J. Cook Silver badge
    Boffin

    ... and that is why SCADA systems should be air gapped, or on an isolated network, with remote access via a locked down, heavily monitored terminal server with a leg on each side. (or possibly using an IP KVM for console access to the management box, which has *zero* access to the internet or the rest of the network)

    1. Anonymous Coward
      Anonymous Coward

      ....systems should be airgapped

      And then monitored to make sure that some dimwit doesn't bring a wireless router or adapter from home so they can check their emails and browse the internet. Yes, it happens.

  7. FozzyBear
    Devil

    Forget the needle

    Use a jackhammer to etch that Warning on the developers eye.

    Should drive the point home

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021