Anyone have any thoughts on the Stuxnet malware and the implications with microcontrollers we use for our projects?
And besides the security implications, what kinds of things can we do to design more robust, resilient sensor/control networks?
http://en.wikipedia.org/wiki/Stuxnet
Stuxnet?
Moderators: adafruit_support_bill, adafruit
Please be positive and constructive with your questions and comments.
-
- Posts: 178
- Joined: Mon Sep 03, 2007 4:50 pm
Re: Stuxnet?
Problem No 1: The siemens SPS stuff that got used has a hardcoded default password that can't be changed easily!chrisjx wrote:Anyone have any thoughts on the Stuxnet malware and the implications with microcontrollers we use for our projects?
To me a default password that is known to everyone (even to google) is as good as a popup with the message If you really want to enter type 'yes I want to'.
Somehow it's all about requirements (which comes down to *money* surprise surprise).chrisjx wrote:And besides the security implications, what kinds of things can we do to design more robust, resilient sensor/control networks?
For example "remote support must be possible at any time without trained persons on site" hmpf... A manufacturer might also want this because they don't have to give there valuable knowledge to someone else.
Possible easy counter-measures:
- Use a physical switch to change the mode of operation. For example switch the SPI CLK between ICSP and peripheral ICs. Imo it's a good idea that the system won't work as long as it's programmable because people tend to be lazy.
- Force the user to change the default password. E.g. Cut functionality if the default password is in place.
If you opponent has physical access, time, skill and money (which the stuxnet authors clearly have), you need to define you security as "breakable in time X" and take measures so that this timeframe will stand.
This is far beyond private/hobbysts projects.
Please be positive and constructive with your questions and comments.