A cybersecurity researcher who discovered a critical security gap that could leave railroads, power grids, even military systems vulnerable has won a rare public “thank you” from the manufacturer of the vulnerable equipment.
Last April, Justin W. Clarke of San Francisco privately told RuggedCom, a Concord, Ontario, manufacturer of “hardened” industrial networking equipment designed to run in any temperature or weather condition, about a crucial vulnerability. If exploited, it could allow hackers or other nations could to take control of elements within crucial American infrastructure that used the equipment.
RuggedCom customers include defense contractors such as Boeing and Lockheed Martin, as well as several of the nation’s largest utilities. The systems are also used by transportation authorities in Houston and Lakeland, Fla., as well as in Washington State and Wisconsin.
Now, a week after Mr. Clarke brought public pressure to bear after deciding that RuggedCom was dragging its feet, it seems the important fix is going to happen.
“In the next few weeks, RuggedCom will be releasing new versions [of the company’s] firmware that removes the undocumented factory account,” Jim Slinowsky, vice president of marketing for RuggedCom, said in a press release late Friday.
“We thank the researcher, Justin W. Clarke, for reporting this vulnerability,” the company said in a separate release a day earlier.
The vulnerability involved a “back door” in RuggedCom products — a secret factory login that could allow the manufacturer to enter the equipment’s control systems without anyone knowing. Clarke found out about the back door by buying RuggedCom equipment on eBay and testing it. He also discovered that the password protecting this back door was weak, meaning it could be easily hacked.
In mid-April, about a year after Clarke told RuggedCom about the problem, the company told Clarke it would need three more weeks to notify customers, but it did not say whether it planned to fix the back door access with a firmware upgrade, Clarke says. Feeling the company might never fix the problem, Clarke decided to reveal the threat publicly.
He reported the vulnerability to the US-Computer Emergency Readiness Team, a federal cyberwatchdog, which issued a vulnerability warning April 24. Its sister agency, which is focused on computerized industrial-control systems, also put out its own warning.
Soon after, industrial control-system security experts began blogging about the threat.
“I didn’t do this for money — I didn’t get paid for this,” Clarke told the Monitor in an interview last week. “I just wanted the problem fixed, and nothing I heard from the company ever indicated that would happen.”