A group of researchers has made public a database, dubbed "SCADAPASS," containing default credentials for more than 100 industrial control system (ICS) products belonging to various top vendors. The research team—known as SCADA StrangeLove—published the list on GitHub, which includes the product and vendor names; device type; default username and password; port and protocol; as well as a link to the source of the information. Among the devices listed were industrial routers, programmable logic controllers (PLC), wireless gateways, servers and network modules for vendors such as B&B Electronics, Digi, Emerson, Moxa, Schneider Electric and Siemens, reported SecurityWeek. SCADA StrangeLove researchers said they were able to obtain the default credentials from open passwords lists and documentation from vendors. The researchers claimed to have also compiled a lengthy list of hardcoded passwords, which they do not plan to release in adherence to responsible disclosure guidelines. By publishing the database, the group of researchers hopes to change the mindset of ICS vendors. SCADA StrangeLove researcher Sergey Gordeychik says vendors shouldn’t leave security in the hands of control system operators, who usually aren’t aware of all the features on their devices. Gordeychik added most vendors do not view default passwords as a vulnerability.
“Weak or no passwords are acceptable for systems that are physically protected and can only be accessed locally, but they can pose serious risk for systems that could be accessed remotely,” Gordeychik told SecurityWeek.
He strongly urges vendors to implement proper security controls, such as establishing password strength policies and forcing users to change passwords when they first log in.
