Homeland Security has said that an internet-connected industrial monitoring device — typically used in US industrial power plants and energy facilities — is vulnerable to a string of serious security vulnerabilities.
The US government department’s Computer Emergency Readiness Team (CERT) posted an advisory, saying that the ESC 8832 data controller, which allows a plant worker to see exactly how an industrial unit is working at a glance, could be trivially exploited by a “low skilled” attacker.
“The device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter,” said the advisory.
That’s because the internet-connected device has a web interface, which hackers can easily exploit to gain greater access to the device than intended.
In other words, an attacker could remotely perform administrative operations, which could be used to view or even change sensitive industrial system information.
Worse of all, the company that develops the technology said it can’t patch the vulnerabilities, because there is no code space to install a security patch.
ESC, which developed the device, introduced the supervisory control and data acquisition (SCADA) system in 2001. The decade-old device was last sold in 2013 because, according to one of the device’s developers, the company couldn’t “get the parts.” That said, the company said it would support the device until the end of the decade, but pushed those who used the device to upgrade to the newer ESC 8864 data controller.
There are thought to be more than 4,000 units in the field, according to a company newsletter dated late-2012.
The flaws were discovered by independent security researcher Maxim Rupp. ESC acknowledged that Balazs Makany reported the flaws last year. Makany later released the exploit code online last year, pushing the CERT advisory to raise the risk of the flaw being exploited to a top-tier severity.
ESC could not be immediately reached for comment.