Incident Details

Incident: Backdoor Login Account Vulnerability in RuggedCom Operating System

Published Date: 2012-04-25

Postmortem Analysis
Timeline	1. The software failure incident happened in April 2011 [Article 11157]. 2. The incident was reported in an article published on April 30, 2012 [Article 11157]. 3. Therefore, the software failure incident occurred in April 2011.
System	1. Rugged Operating System made by RuggedCom [Article 11160, Article 11157] 2. RuggedCom firmware [Article 11157]
Responsible Organization	1. RuggedCom, the Canadian company that makes equipment and software for critical industrial control systems, was responsible for causing the software failure incident by planting a backdoor login account in its flagship operating system [Article 11160]. 2. Siemens, the German conglomerate that recently purchased RuggedCom, can also be considered responsible as it inherited the security vulnerability issue from RuggedCom after the acquisition [Article 11157].
Impacted Organization	1. Critical industrial control systems used in power grids, railway and traffic control systems, military systems, and manufacturing facilities were impacted by the software failure incident reported in the articles [Article 11157, Article 11160].
Software Causes	1. The software cause of the failure incident was the presence of a backdoor login account in the RuggedCom operating system, which allowed unauthorized access to critical industrial control systems [Article 11157, Article 11160]. 2. The backdoor account had a static username, "factory," assigned by the vendor, and a dynamically generated password based on the individual MAC address of the device, making it easily exploitable [Article 11157, Article 11160]. 3. The backdoor account could not be disabled and was present in all versions of the Rugged Operating System, indicating a fundamental software flaw [Article 11160]. 4. The failure incident was exacerbated by the lack of response from RuggedCom to address the security vulnerability even after being notified by researchers and CERT, highlighting a failure in the company's security awareness and development processes [Article 11157, Article 11160].
Non-software Causes	1. Lack of security awareness in the development process at RuggedCom, leading to the installation of a backdoor login account in the flagship operating system [Article 11157]. 2. Failure of RuggedCom to acknowledge and address the security vulnerability introduced by the backdoor, despite being aware of its existence [Article 11160].
Impacts	1. The software failure incident involving the backdoor login account in RuggedCom's flagship operating system had serious security implications for critical industrial control systems, including power grids, railway and traffic control systems, and military systems [Article 11157, Article 11160]. 2. The presence of the backdoor account allowed potential attackers to access devices online, posing a significant security risk to the infrastructure [Article 11160]. 3. The incident raised concerns about the lack of security awareness in the development process of the company's products, leading to questions about other potential vulnerabilities in their systems [Article 11157]. 4. Customers were required to upgrade their firmware to eliminate the vulnerability created by the backdoor, resulting in additional costs, downtime, and risks for the end users [Article 11157]. 5. The incident highlighted the need for vendors to participate in responsible coordinated disclosure when security vulnerabilities are identified, emphasizing the importance of timely responses and actions to address such issues [Article 11157].
Preventions	1. Implementing a thorough security review process during the development phase to identify and address vulnerabilities before the product is released [Article 11157]. 2. Engaging in responsible coordinated disclosure when security researchers report vulnerabilities, rather than ignoring or delaying responses to such reports [Article 11157, Article 11160]. 3. Providing timely and transparent communication with customers about security vulnerabilities and the steps being taken to address them [Article 11157]. 4. Avoiding the inclusion of backdoor accounts or hardcoded passwords in software and hardware products [Article 11157, Article 11160]. 5. Regularly updating firmware and software to patch vulnerabilities and improve security [Article 11157, Article 11160].
Fixes	1. Implementing a firmware upgrade to remove the backdoor login account and disable telnet and remote shell services by default in the RuggedCom operating system [Article 11157]. 2. Providing more explanation to customers about the incident and assuring them that such vulnerabilities will not happen again in the future [Article 11157]. 3. Addressing the security vulnerabilities promptly and responsibly through coordinated disclosure with security researchers and organizations like CERT [Article 11157, Article 11160]. 4. Conducting thorough security assessments and audits of the software to identify and fix any other potential vulnerabilities that may exist in the product [Article 11157]. 5. Enhancing the security awareness and processes within the development team to prevent similar security lapses in the future [Article 11157].
References	1. Justin W. Clarke, independent security researcher [Article 11157, Article 11160] 2. Reid Weightman, security researcher at Digital Bond [Article 11157] 3. Dale Peterson, founder and CEO of Digital Bond [Article 11157] 4. Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team [Article 11157, Article 11160] 5. CERT Coordination Center at Carnegie Mellon University [Article 11157, Article 11160] 6. RuggedCom [Article 11157, Article 11160] 7. Siemens [Article 11157, Article 11160]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident having happened again at one_organization: - The incident of a backdoor login account being planted in the flagship operating system of RuggedCom, a Canadian company making equipment and software for critical industrial control systems, is a significant software failure incident that happened within the same organization [Article 11160]. - RuggedCom, which was recently purchased by Siemens, exhibited a serious security vulnerability in its product, leading to the discovery of a backdoor account that could potentially allow attackers to access devices online [Article 11157]. (b) The software failure incident having happened again at multiple_organization: - The articles mention that Siemens, the German conglomerate that recently acquired RuggedCom, has also faced criticism for having backdoors and hard-coded passwords in some of its industrial control system components [Article 11160]. - The presence of hardcoded passwords and backdoor accounts in industrial control systems is highlighted as a common security vulnerability across multiple manufacturers, indicating that similar incidents have occurred at other organizations as well [Article 11160].
Phase (Design/Operation)	design, operation	(a) The software failure incident in the articles can be attributed to design-related factors introduced during the system development phase. The incident involved a serious security vulnerability in the RuggedCom operating system, where a backdoor login account was discovered by a security researcher, Justin W. Clarke. The backdoor account was intentionally planted in the flagship operating system by the Canadian company that makes equipment and software for critical industrial control systems [Article 11157, Article 11160]. This design flaw allowed unauthorized access to devices online, potentially compromising critical systems such as power grids, railway and traffic control systems, and military systems. The backdoor account had static login credentials that could not be changed by customers, making it a significant security risk that was present in all versions of the Rugged Operating System. (b) Additionally, the software failure incident can also be linked to operational factors, specifically the operation or misuse of the system. Despite the security researcher notifying RuggedCom about the backdoor in April 2011, the company failed to address the vulnerability and did not notify customers about the security risk. The lack of responsiveness from the vendor, RuggedCom, even after being contacted by the Department of Homeland Security's Industrial Control System Cyber Emergency Response Team and the CERT Coordination Center, contributed to the operational failure in handling the security issue promptly [Article 11157, Article 11160]. The failure to take action and secure the backdoor account in a timely manner led to the public disclosure of the vulnerability by the researcher, highlighting operational shortcomings in addressing critical security flaws.
Boundary (Internal/External)	within_system, outside_system	(a) The software failure incident reported in the articles is primarily within_system. The failure was due to a serious security vulnerability in the RuggedCom operating system, specifically a backdoor login account that was intentionally planted by the company [11157, 11160]. This backdoor account, which could not be disabled, allowed attackers to access the devices online and posed a significant risk to critical industrial control systems used in power grids, railway and traffic control systems, and military systems [11157, 11160]. The vulnerability was discovered by an independent security researcher who found that the login credentials for the backdoor included a static username and a dynamically generated password based on the device's MAC address [11157, 11160]. The company, RuggedCom, was aware of the backdoor but failed to address it promptly, leading to public disclosure and pressure for a fix [11157, 11160]. (b) Additionally, the software failure incident can also be attributed to outside_system factors. The incident involved external pressure and public disclosure by independent security researchers like Justin W. Clarke, who discovered the backdoor vulnerability and pushed for its resolution [11157, 11160]. The Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT) and the CERT Coordination Center at Carnegie Mellon University were also involved in addressing the vulnerability after being notified by the researcher [11157, 11160]. The incident highlighted the importance of responsible coordinated disclosure and the need for vendors to actively participate in addressing security concerns raised by external parties [11157].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles was primarily due to a serious security vulnerability in the RuggedCom operating system, specifically a backdoor login account that was planted in the flagship operating system [Article 11157, Article 11160]. - The backdoor account had login credentials that included a static username and a dynamically generated password based on the individual MAC address of the device, making it vulnerable to exploitation [Article 11157, Article 11160]. - The backdoor account was discovered by a security researcher, Justin W. Clarke, who found it after purchasing used RuggedCom devices and examining the firmware installed on them [Article 11157, Article 11160]. - The backdoor account was not disabled and could not be changed by customers, allowing potential attackers to access the devices online [Article 11160]. (b) The software failure incident occurring due to human actions: - The failure to address the security vulnerability in the RuggedCom operating system was primarily due to human actions, such as the company's decision to install the backdoor account and its lack of responsiveness to security concerns raised by researchers [Article 11157, Article 11160]. - RuggedCom was criticized for exhibiting no evidence of security awareness in its development process and for failing to acknowledge the trouble the backdoor created for customers who would need to upgrade their firmware to eliminate the vulnerability [Article 11157]. - The company's initial response to the security vulnerability, including ignoring the researcher's notifications and lack of communication, contributed to the incident [Article 11157, Article 11160]. - The delay in addressing the security vulnerability and the lack of a timely response to the researcher's concerns were human actions that led to the software failure incident [Article 11157, Article 11160].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident in the articles is primarily related to hardware. The incident involves a backdoor login account planted in the hardware's flagship operating system, specifically in the Rugged Operating System made by RuggedCom [Article 11157, Article 11160]. This backdoor account, which was discovered by a security researcher, allowed potential attackers to access the devices online. The hardware affected includes critical industrial control systems used in power grids, railway and traffic control systems, and manufacturing facilities. The incident highlights a serious security vulnerability in the hardware components, leading to concerns about the security of the devices deployed in various critical infrastructure networks. (b) While the incident involves software components such as firmware updates to remove the backdoor account and disable certain services like telnet and remote shell services [Article 11157], the root cause of the failure lies in the hardware aspect of the devices. The presence of the backdoor account, which was hardcoded into the hardware and could not be disabled, points to a hardware-related issue rather than a software-specific flaw.
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident reported in the articles is malicious in nature. The failure was caused by the deliberate introduction of a backdoor login account in the RuggedCom operating system by the Canadian company, RuggedCom, which makes equipment and software for critical industrial control systems [11157, 11160]. The backdoor account, which could not be disabled, allowed potential attackers to access the devices online and posed a serious security vulnerability [11160]. The backdoor account included a static username and a dynamically generated password based on the device's MAC address, making it relatively easy for attackers to exploit [11157, 11160]. The company was aware of the backdoor but failed to address the issue until pressure from a security researcher forced them to release a firmware update to remove the backdoor account [11157]. (b) The software failure incident cannot be classified as non-malicious as it involved intentional actions by the company to include the backdoor account in the operating system, which ultimately put the security of critical systems at risk [11157, 11160]. The failure was not a result of unintentional errors or faults but rather a deliberate decision by the company, indicating malicious intent to potentially compromise the security of the systems using their products.
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident: - The incident involved poor decisions made by the Canadian company that makes equipment and software for critical industrial control systems. They installed a backdoor login account in their flagship operating system, which was discovered by a security researcher [Article 11160]. - The company exhibited no evidence of security awareness in its development process, as they ignored a serious security vulnerability for at least a year and failed to address it until pressure was applied [Article 11157].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident in the articles can be attributed to development incompetence. RuggedCom, a Canadian company that makes equipment and software for critical industrial control systems, was found to have a serious security vulnerability in its flagship operating system due to a backdoor login account that was present for at least a year [Article 11157]. The backdoor account was exposed by an independent security researcher, Justin W. Clarke, who discovered the undocumented backdoor in the RuggedCom operating system after purchasing used RuggedCom devices and examining the firmware installed on them [Article 11157]. The company exhibited no evidence of security awareness in its development process, as the backdoor made it into release without being addressed, and there was no process in place to handle security concerns in already-released products [Article 11157]. (b) The software failure incident can also be considered accidental. The backdoor login account in the Rugged Operating System made by RuggedCom was planted in all versions of the software, potentially allowing attackers to access the devices online [Article 11160]. The backdoor, which cannot be disabled, had login credentials that included a static username and a dynamically generated password based on the individual MAC address of the device, making it vulnerable to exploitation [Article 11160]. The existence of this backdoor was acknowledged by RuggedCom, but the company failed to address the serious security vulnerability introduced by it, leading to the need for public disclosure and pressure to prompt action [Article 11160].
Duration	permanent, temporary	(a) The software failure incident in this case appears to be permanent. The backdoor login account, which was a serious security vulnerability in the RuggedCom operating system, was present in all versions of the Rugged Operating System made by RuggedCom [Article 11160]. The backdoor account was intentionally planted by the company and could not be disabled by customers. This indicates that the failure was due to contributing factors introduced by all circumstances, as it was a deliberate design flaw that persisted across all versions of the software. (b) The software failure incident could also be considered temporary in a sense, as the company eventually announced that it would be releasing new versions of its RuggedCom firmware to remove the backdoor account and disable telnet and remote shell services by default [Article 11157]. This action suggests that the failure, although initially permanent, was addressed and mitigated through a firmware update, indicating that it was due to contributing factors introduced by certain circumstances but not all.
Behaviour	omission, value, other	(a) crash: The software failure incident described in the articles does not involve a crash where the system loses state and does not perform any of its intended functions. The failure is related to a serious security vulnerability in the software that allowed unauthorized access through a backdoor account [Article 11157, Article 11160]. (b) omission: The software failure incident can be categorized as an omission where the system omitted to perform its intended functions by allowing the existence of a backdoor login account that could potentially be exploited by attackers. The backdoor account was not disabled and could not be changed by customers, leading to a serious security vulnerability [Article 11157, Article 11160]. (c) timing: The software failure incident does not involve a timing issue where the system performed its intended functions too late or too early. The focus of the incident is on the presence of a backdoor account that could be used to access the devices online [Article 11157, Article 11160]. (d) value: The software failure incident can be classified as a value failure where the system performed its intended functions incorrectly by allowing the existence of a backdoor login account that compromised the security of the devices. The backdoor account had static credentials that could not be changed by customers, making it a serious security vulnerability [Article 11157, Article 11160]. (e) byzantine: The software failure incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions. The primary issue in this incident is the presence of a backdoor account with static credentials that could be exploited by attackers [Article 11157, Article 11160]. (f) other: The other behavior exhibited in this software failure incident is a lack of responsiveness and communication from the vendor, RuggedCom, in addressing the security vulnerability. Despite being made aware of the backdoor account, the company failed to take timely action to secure the devices and address the issue, leading to public disclosure and pressure from security researchers [Article 11157, Article 11160].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, processing_unit, embedded_software	(a) sensor: Failure due to contributing factors introduced by sensor error - The software failure incident reported in the articles is related to a backdoor login account planted in the flagship operating system of RuggedCom, a Canadian company that makes equipment and software for critical industrial control systems [Article 11157, Article 11160]. - The backdoor login account was found in all versions of the Rugged Operating System made by RuggedCom, potentially allowing attackers to access the devices online [Article 11160]. - The login credentials for the backdoor included a static username, "factory," that was assigned by the vendor and couldn't be changed by customers, and a dynamically generated password based on the individual MAC address for any specific device [Article 11157, Article 11160]. - The backdoor was discovered by a security researcher, Justin W. Clarke, who purchased two used RuggedCom devices and examined the firmware installed on them [Article 11157, Article 11160]. - The backdoor was acknowledged by RuggedCom, but the company failed to address the serious security vulnerability introduced by the sensor error [Article 11157, Article 11160]. (b) actuator: Failure due to contributing factors introduced by actuator error - The software failure incident does not directly involve an actuator error. The focus is on the backdoor login account planted in the operating system, which allows unauthorized access to the devices [Article 11157, Article 11160]. (c) processing_unit: Failure due to contributing factors introduced by processing error - The software failure incident is related to a processing error in the form of a backdoor login account planted in the operating system of RuggedCom's products [Article 11157, Article 11160]. - The backdoor account was discovered by examining the firmware installed on the RuggedCom devices, indicating a flaw in the processing of the login credentials [Article 11157, Article 11160]. (d) network_communication: Failure due to contributing factors introduced by network communication error - The software failure incident does not directly involve a network communication error. The focus is on the backdoor login account planted in the operating system, which can be exploited by attackers to access the devices [Article 11157, Article 11160]. (e) embedded_software: Failure due to contributing factors introduced by embedded software error - The software failure incident is related to an embedded software error in the form of a backdoor login account planted in the operating system of RuggedCom's products [Article 11157, Article 11160]. - The backdoor account was discovered by examining the firmware installed on the RuggedCom devices, indicating a flaw in the embedded software of the products [Article 11157, Article 11160].
Communication	connectivity_level	The software failure incident reported in the articles is related to the communication layer of the cyber physical system that failed at the connectivity level. This failure was due to contributing factors introduced by the network or transport layer. In the incident, a serious security vulnerability was discovered in the RuggedCom operating system used in critical industrial control systems, including power grids, railway and traffic control systems, and military systems [Article 11157]. The vulnerability involved a backdoor login account that was planted in the operating system, allowing unauthorized access to the devices online. The backdoor account had static login credentials that could not be changed by customers, making it a significant security risk. Furthermore, the backdoor account issue was not addressed promptly by the company, RuggedCom, despite being aware of the vulnerability. The lack of responsiveness and failure to provide a timely fix led to the public disclosure of the vulnerability by the security researcher, Justin W. Clarke [Article 11157]. This incident highlights a failure at the connectivity level of the cyber physical system, where network or transport layer vulnerabilities can have serious implications for the security and integrity of critical infrastructure systems.
Application	TRUE	The software failure incident described in the articles was related to the application layer of the cyber physical system. This failure was due to a serious security vulnerability in the RuggedCom operating system, specifically the presence of a backdoor login account that could not be disabled and was found in all versions of the Rugged Operating System made by RuggedCom [Article 11157, Article 11160]. This backdoor account allowed attackers to access the devices online, potentially compromising critical industrial control systems used in power grids, railway and traffic control systems, and military systems. The login credentials for the backdoor included a static username assigned by the vendor and a dynamically generated password based on the individual MAC address of the device, making it vulnerable to exploitation [Article 11157, Article 11160].

Other Details

Category	Option	Rationale
Consequence	property, non-human, other	(a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident in the provided articles [Article 11157, Article 11160]. (b) harm: People were physically harmed due to the software failure - There is no mention of any physical harm to individuals resulting from the software failure incident in the provided articles [Article 11157, Article 11160]. (c) basic: People's access to food or shelter was impacted because of the software failure - There is no mention of people's access to food or shelter being impacted by the software failure incident in the provided articles [Article 11157, Article 11160]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident resulted in potential harm to critical infrastructure systems used in power grids, railway and traffic control systems, military systems, and manufacturing facilities [Article 11157, Article 11160]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone activities due to the software failure incident in the provided articles [Article 11157, Article 11160]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident impacted industrial control systems, critical infrastructure networks, and devices such as power grids, railway systems, traffic control systems, and manufacturing facilities [Article 11157, Article 11160]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had significant consequences related to security vulnerabilities, potential unauthorized access, and the need for firmware upgrades to address the backdoor account issue [Article 11157, Article 11160]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles do not discuss potential consequences that did not occur as a result of the software failure incident [Article 11157, Article 11160]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident led to concerns about the security of critical infrastructure systems, the need for firmware upgrades, potential risks to customers, and the impact on the reputation of the company involved [Article 11157, Article 11160].
Domain	information, transportation, utilities, government	(a) The failed system was intended to support the information industry as it was used in critical industrial control systems for production and distribution of information [Article 11157, Article 11160]. (b) The system was also used in transportation industries such as power grids, railway, and traffic control systems [Article 11157, Article 11160]. (g) The failed system was utilized in utilities such as power grids, indicating support for the utilities industry [Article 11157, Article 11160]. (l) The system was related to the government industry as it was used in critical systems for defense and public services [Article 11157, Article 11160].

Sources

Equipment Maker Caught Installing Backdoor Vows to Fix Following Public Pressure - WIRED - Published on: 2012-04-30
Article ID: 11157
Equipment Maker Caught Installing Backdoor Account in Control System Code - WIRED - Published on: 2012-04-25
Article ID: 11160

Back to List