Bored Researcher Easily Finds Two Dozen SCADA Security Holes
The United States' industrial control systems, which run factories, power plants and transportation networks, are vulnerable to remote network attacks due to easily discovered flaws in supervisory control and data acquisition (SCADA) software created by some of the world's top vendors, a security researcher claims.
Aaron Portnoy, vice president of research at U.S.-based Exodus Intelligence, needed something to do Thanksgiving Day (Nov. 22) while he waited for his turkey to slow-cook in the oven, so he took to his computer.
In just a few hours, Portnoy said, he discovered 23 SCADA security holes that could allow hackers to cripple vital systems by executing malicious code, plus the fact that one SCADA system installs Adobe's outdated Reader 8 PDF software.
"What does a flightless bird and SCADA have in common?" Portnoy's post on the Exodus blog asks rhetorically. "They're both easy targets."
Although the flaws have huge security implications that could affect hundreds of millions of Americans, the researchers who discover them aren't always willing to play ball by disclosing the problem to the software maker. [10 Reasons to Fear a 'Cyber Pearl Harbor']
Two companies that don't disclose vulnerabilities are France's VUPEN Security and Malta-based ReVuln Security, the latter of which said it had found SCADA flaws only a day earlier than Portnoy.
On Nov. 21, ReVuln posted a video that demonstrated various "zero-day" vulnerabilities, but provided no technical information about the flaws. Nor did ReVuln reach out to the vendors whose software was affected.
Portnoy believes some of the flaws he encountered are the same ones ReVuln refuses to disclose.
The practice of not disclosing new exploits, otherwise known as zero-day exploits, to software vendors is controversial but lucrative. National intelligence agencies are willing to pay handsomely for software vulnerabilities that must necessarily be kept secret from the software maker.
Although some businesses refuse to work with companies who don't disclose, the policy of selling exploits to bidders appears to make up for the lost clientele.
The result is that, for example, the CIA or National Security Agency — or a foreign intelligence agency — may know more about Microsoft vulnerabilities that Microsoft itself does.
The Stuxnet worm that crippled Iran's nuclear program in 2010 contained an unprecedented four zero-day exploits. Zero-day exploits are rare and valuable, and no criminal group would have wasted four of them in a piece of malware that was designed to infect a single specific industrial facility.
Unlike ReVuln, Exodus does disclose findings in order for software makers to correct them. Exodus pays independent security researchers to find them.
That, Portnoy said, illustrates a fundamental difference in the way some security companies think about exploit discovery and the obligation, or lack thereof, to disclose it.
"We provide our customers with actionable information to help defend themselves or defend their clients against vulnerabilities in widely used enterprise software, whereas ReVuln seems focused on extorting SCADA vendors," Portnoy told the British tech blog the Register.
"We don't work for free," ReVuln said in an earlier statement to the Register. "We had several personal experiences in the past where vendors didn't even say thanks for reporting a issue, or they try to underpay your research with bug-bounty programs that are not worth reporting issues to them."
ReVuln's Luigi Auriemma disagreed with Portnoy's assessment of his company, and said Portnoy's criticism amounted to more than just an attack on his company.
"Portnoy is not attacking us, a little startup, but the whole market," Auriemma told the Register.
Follow Ben on Twitter @benkwx.