This is a list of SCADA equipment, used in various industry fields, which comes with simplistic default administration credentials. These admin logins are shipped with every product, and they are detailed in each product’s manual. Usually, the equipment’s new owners change these credentials as soon as the equipment is installed. Or at least in theory.
SCADA Strange Love’s Sergey Gordeychik says that this list was put together to raise awareness of the fact that there are is a lot of ICS/SCADA equipment that, if left unconfigured, could put enterprises and national infrastructure at risk of hacking.
“Most of vendors don’t consider default passwords as vulnerability,” Mr. Gordeychik told Softpedia. “And if it’s ok for IT, it’s a big issue for ICS.”
Most of vendors don’t consider default passwords as vulnerability. And if it’s ok for IT, it’s a big issue for ICS.
“There are no hardcodes in this list,” he also told us, referring to the fact that only equipment with default (changeable) passwords is on the SCADAPASS list. Since hardcoded login credentials are embedded in the device’s firmware, they cannot be changed or removed except via a firmware update.
“We follow responsible disclosure practices and don’t publish details about vulnerabilities,” said Mr. Gordeychik, referring to the fact that hardcoded credentials (semi-legal backdoors) are considered a vulnerability.
The SCADAPASS list published on GitHub includes manufacturers like B&B Electronics, BinTec Elmeg, Digi, Echelon, Emerson, Hirschmann, IBM, Moxa, Rockwell, Samsung, Schneider Electric, Siemens, Wago, Westermo, and Yokogawa.
Most of the listed 110+ products are programmable logic controllers (PLC), but servers, wireless gateways, and industrial-grade routers are also on the list. [Softpedia]