SCADA search engine assists hackers in their evil exploits
November 3, 2010
The U.S. Computer Emergency Readiness Team (CERT) is warning that SCADA, a lesser known search engine that indexes specialized Internet devices and other complex equipment used to control power grids, refineries and even nuclear power plants is actually assisting potential hackers in discovering and accurately pinpointing critical industrial control systems that are extremely vulnerable to tampering.
In July, German power specialist Siemens said that it had discovered some critical Internet security issues in its power-grid management software and had provided its users safety patches to clear the problem. Now some security experts are saying that the patches were'nt enough since the security vulnerabilities appear to still be there.
The year-old search engine known as Shodan makes it very easy to locate Internet-facing SCADA (Supervisory Control And Data Acquisition) systems, in which some of them were designed by Siemens. As white-hat hacker and Errata Security expert Robert Graham says, the Shodan search engine can also be used to identify systems with known security vulnerabilities, which is exactly what hackers are looking for.
“The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems and application servers in more than one data center,” CERT wrote in an advisory published late yesterday.
“These critical control and management systems have been found to be readily accessible from the Internet and with specialized tools such as Shodan, and the resources required to identify them now have been greatly reduced.”
Besides opening up industrial control systems to attacks that target unpatched security vulnerabilities, the information provided by Shodan also makes some networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned.
CERT advised senior system administrators to tighten security by:
CERT's warning comes a few weeks after reports that a worm called Stuxnet burrowed into SCADA systems controlling nuclear power plants. The attack, which many researchers speculate was intended to disrupt Iran's nuclear aspirations, demonstrated the success in which determined hackers have in penetrating critical and (almost) national security control systems in use today.
Short for Sentinel Hyper-Optimized Data Access Network, Shodan contains a wealth of information about network routers, switches, servers, load balancers and other specific hardware that is directly attached to the Internet.
Its database was done by indexing metadata contained in the headers the hardware broadcasts to other devices. Various searches can be filtered by port, hostname and country. In other words, not only can it identify a Solaris server, it can in many cases identify a Solaris server located in Pakistan that still remains vulnerable to a known exploit.
Shodan can also easily determine if the server is running Linux, Windows or any other version or type of operating system, along with about 20 other important system parameters such as how long the server has been running, if there's been any recent IP address or network changes, and when did those changes take place, etc. etc.
Source: The U.S. Computer Emergency Readiness Team (CERT).
You can link to the Internet Security web site as much as you like.