Gas detectors used in factories and other industrial settings to identify toxic conditions contain several vulnerabilities that can allow hackers to remotely sabotage the devices, according to an industry advisory published late last week.
The vulnerabilities in the Midas and Midas Black gas detectors manufactured by Honeywell can be exploited by hackers with a low skill level, according to the advisory, which was published Thursday by the Industrial Control System Cyber Emergency Response Team. The first weaknesses is a “path traversal” weakness, which allows remote attackers to bypass the normal authentication system. A second one results in the failure to encrypt user passwords when they’re being transmitted.
“Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes,” the advisory warned. The notice went on to advise organizations that rely on on the detectors to install versions 1.13b3 or 2.13b3, which patch against the vulnerabilities. The advisory pointed to this link from Honeywell.
The vulnerabilities underscore the challenge posed by the increasing use of computers to automate sensitive industrial processes. While computerization often brings efficiency to managing factories and other industrial environments, it also raises the risk of malfunctions or sabotage made possible by security flaws. Frequently, equipment is located in hard-to-access areas with extremely harsh environments, making patching difficult.
SOURCE: Dan Goodin | Ars Technica