A screen from CoDeSys Visualization.

Software used to manage equipment in power plants, military environments, and nautical ships contains an undocumented backdoor that could allow malicious hackers to access sensitive systems without authorization.

The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands, Reid Wightman, a researcher with security firm ioActive, told Ars. The CoDeSys tool will grant a command shell to anyone who knows the proper command syntax and inner workings, leaving systems that are connected to the public Internet open to malicious tampering.

“There is absolutely no authentication needed to perform this privileged command,” Wightman said. “Imagine if your laptop had a service that accepted an unauthenticated ‘shutdown’ command, and if someone sent it your laptop [would] shut off and you [would lose] all your work. Anybody on the network could shut off your laptop without needing your password. That would suck. And that’s the case here.”

Read 5 remaining paragraphs | Comments

via Ars Technica » Technology Lab http://feeds.arstechnica.com/~r/arstechnica/technology-lab/~3/eq3Z0gl_t0w/

Advertisements