Changeable default passwords are not seen as vulnerabilities by ICS-CERT, but should they be?
Experts disagree with ICS-CERT, find issue to be severe
By Steve Ragan , Staff Writer
October 15, 2013 — CSO — While responding to a vulnerability report submitted in April, ICS-CERT told a researcher that documented, changeable default passwords are not vulnerabilities. But given the risk behind default passwords and the focus on critical infrastructure security, shouldn't such things be considered an issue?
Darius Freamon, a researcher from South Carolina, reported a vulnerability in an ICS (Industrial Control System) used for Solar power generation last April. ICS-CERT, a division of the U.S. Department of Homeland Security that focuses on risk across critical infrastructure, told him that the flaw he disclosed in Solare Datensysteme wasn't valid.
"After analyzing the installation manual, we found that though there is a default password for this device, the manual clearly tells how to change it. We consider hard-coded (unchangeable) passwords to be a vulnerability, but we do not consider documented changeable default passwords to be a vulnerability," an email from ICS-CERT informed Freamon.
Freamon, who has submitted five different vulnerabilities this year to ICS-CERT, was understandably perplexed by the response. In his work, he told CSO that he sees default passwords all the time, and while he understands the response given to him, the problem itself remains.
"The big problem is that administrators just don't change them," Freamon told CSO, referring to default passwords used in critical systems.
"Even if 50% do it, [that] means there are hundreds or thousands of systems left open to the world. With all the attention on ICS and SCADA it is scary how many systems are connected to the Internet [with default credentials]."
CSO spoke to a few other security experts about the ICS-CERT response, in order to assess their stance on the issue. It's standard practice, at least on paper, to change default settings when deploying technology wherever possible. The reality however, is that software and hardware go into production with default settings as it makes usage and management easier.
A.N. Ananth, the CEO of EventTracker, told CSO that the default password report made in April is quite severe and the defense / explanation provided by ICS-CERT is weak.
"Microsoft learned this lesson the hard way from the days of Windows XP. Insecure default options were a primary driver for the NIST to develop the SCAP standard and require annual assessments of configuration across the network. The US Air Force secure desktop configuration is one result of this work and has led to significant reduction in attack surface across endpoints," Ananth said.
Moreover, secure configurations, such as changing default passwords, is listed as Critical Control #3 on the SANS Consensus Audit Guidelines.