DHS Hacker Warning
We already heard that machinery in US power plants were vulnerable to attacks from hackers and now the Department of Homeland Security has put out a warning saying just that. The department’s Computer Emergency Readiness Team (CERT) is concerned that the ESC 8832 data controller could be taken over by an attacker with the most basic hacking skills and there’s no way to fix it.
The ESC 8832 allows plant workers to monitor how the device is working and allows for multiple accounts with varying degrees of access. By exploiting its web interface, a hacker could brute force a parameter and gain access to functions that are not available in the unit’s menu. The attacker would be able to perform administrative functions, monitor, or change industrial system information.
Introduced in 2001, the Supervisory Control and Data Acquisition (SCADA) system developed by ESC. According to them, the there is no way to fix the vulnerabilities, because there is not enough room for the code that would make up the security patch. The ESC 8832 was last sold in 2013 due to the company being unable to get the parts to manufacture it. While they are attempting to get those who use it to upgrade to the newer ESC 8864 data controller, ESC plans to service the device until the end of the decade.
Many medical equipment systems that fall into this same category. There are also still Windows XP systems that are used because of this and these companies are paying Microsoft huge support fees to try and keep things secure. Windows XP support and updates ended April 8, 2014, leaving the system very vulnerable to hackers.