Hardcoded Credentials Expose SICK Controllers to Remote Attacks
A researcher has discovered that remote hackers could reconfigure or disrupt MSC800 modular system controllers from Germany-based sensor maker SICK due to the existence of hardcoded credentials.
The affected controllers, which according to the U.S. Department of Homeland Security (DHS) are used worldwide, particularly in the critical manufacturing sector, are affected by a critical vulnerability tracked as CVE-2019-10979.
The issue is related to the existence of hardcoded credentials in the firmware of affected products, allowing a low-skilled attacker to remotely reconfigure the controller’s settings or disrupt its functionality.
In an advisory published recently, SICK said it was not aware of any public exploits specifically targeting this vulnerability.
The hardcoded credentials exist in MSC800 controllers running versions of the firmware prior to 4.0, which patches the flaw.
According to SICK, version 4.0 of the firmware allows users to change the default password and prevent configuring the device over network interfaces, which can be particularly useful for critical infrastructure organizations.
“As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment,” SICK said.
Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) has been credited for finding and reporting the vulnerability to the DHS’s National Cybersecurity & Communications Integration Center (NCCIC).