The U.S. Department of Homeland Security has issued an alert warning that hackers could exploit code in Siemens-owned technology to attack power plants and other national critical infrastructure. Read More ..
Security researcher Justin Clarke exposed the flaw at a Los Angeles conference last week, claiming he discovered a way of spying on encrypted traffic in hardware owned by a Siemens subsidiary, RuggedCom.
The DHS advisory noted: "An attacker may use the key to create malicious communication to a RuggedCom network device."
It added that the government department was in contact with RuggedCom and the researcher in order to identify the flaw and find a resolution to the vulnerability.
Clarke said that the Siemens-owned technology maker used a single software key to decode encrypted traffic that flows across its network, and has discovered a way to extract the key which could then be used to send malware or credentials to the critical systems.
"If you can get to the inside, there is almost no authentication, there are almost no checks and balances to stop you," Clarke said, reports Reuters.
According to the BBC, this is the second time Clarke has reported a flaw in RuggedCom's technology after purchasing the firm's second-hand equipment from eBay. RuggedCom updated its software after Clarke found the first 'backdoor' that would have allowed hackers to access equipment remotely with an easily extracted password.