Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

December 7, 2015

Toxic Gas Detector Alert!

Filed under: Cybersecurity,IoT - Internet of Things,Security — Patrick Durusau @ 9:55 pm

For years the Chicken Little‘s of infrastructure security have been warning of nearly impossible cyber-attacks on utilities and other critical infrastructure.

Despite nearly universal scorn from security experts, once those warning are heard, they are dutifully repeated by a non-critical press and echoed by elected public officials.

Despite not having been insecure originally, the Internet of Things is catching up to infrastructure and making what was once secure, insecure.

Consider Mark Stockley‘s report: Industrial gas detectors vulnerable to a remote ‘attacker with low skill’.

From the post:

Users of Honeywell’s Midas and Midas Black gas detectors are being urged to patch their firmware to protect against a pair of critical, remotely exploitable vulnerabilities.

These extremely serious vulnerabilities, found by researcher Maxim Rupp and reported by ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team) in advisory ICSA-15-309-02, are simple enough to be exploited by an “attacker with low skill”:

Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes.

…These vulnerabilities could be exploited remotely.

…An attacker with low skill would be able to exploit these vulnerabilities.

So, how bad is the problem?

You judge:

Midas and Midas Black gas detectors are used worldwide in numerous industrial sectors including chemical, manufacturing, energy, food, agriculture and water to:

…detect many key toxic, ambient and flammable gases in a plant. The device monitors points up to 100 feet (30 meters) away while using patented technology to regulate flow rates and ensure error-free gas detection.

The vulnerabilities could allow the devices’ authentication to be bypassed completely by path traversal (CVE-2015-7907) or to be compromised by attackers grabbing an administrator’s password as it’s transmitted in clear text (CVE-2015-7908).

That’s still not a full picture of the danger posed by these vulnerabilities. Take a look at the sales brochure on the Midas Gas Detector and you will find this chart of the “over 35 gases” the Midas Gas Detector can detect:

35-gases

Several nasty gases on the list, Ammonia (caustic, hazarous), Arsine (highly toxic, flammable), Chlorine (extremely dangerous, poisonous for all living organisms), Hydrogen cyanide, and Hydrogen flouride (“Hydrogen fluoride is a highly dangerous gas, forming corrosive and penetrating hydrofluoric acid upon contact with living tissue. The gas can also cause blindness by rapid destruction of the corneas.”)

Bear in mind that patch application doesn’t have an encouraging history: Potent, in-the-wild exploits imperil customers of 100,000 e-commerce sites

Honeywell has put the detection of extremely dangerous gases, at the mercy of script kiddies.

Suggestion: If you worn on-site where Midas Gas Detectors may be in use, inquire before setting foot on the site if they are using Midas Gas Detectors of the relevant models and whether they are patched?

Bear in mind that the risk of “…corrosive and penetrating hydrofluoric acid upon contact with living tissue…” is your in some situations. I would ask first.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress