Misconfiguration Issues with systems operated by Texas-based electrical engineering operator Power Quality Engineering (PQE) resulted in the information of various clients being exposed to the Internet, along with sensisitve corprorate information from PQE itself, UpGuard security researchers warn.
A port configured for public access and used for rsync server synchronization exposes data of clients such as Dell, the City of Austin, Oracle, and Texas Instruments, among others. A browser is all that an interested actor would need to access and download sensitive electrical infrastructure data that PQE inspectors examining customer facilities have compiled into reports, the researchers say.
Using a cyber risk scoring system developed by UpGuard, PQE was rated 181 out of a possible 950 when the data exposure was discovered. Thus, the company says, PQE “presents a number of potentially damaging attack vectors with this exposure.”
Not only does the incident reveal additional potential weak points in customer electrical systems, but publicly downloadable schematics could provide attackers with information on the “specific locations and configurations of government-operated top secret intelligence transmission zones within at least one Dell facility.”
In addition to the exposed customer data, the repository also contained a plain text file of internal PQE passwords, which provided potential attackers with further access to the company’s systems.
“This exposure illustrates several pertinent and common issues driving the spread of cyber risk today. The configuration of PQE’s rsync process to allow public access through an open port is an all too common state of affairs in IT environments. While IT personnel can restrict port access to only authorized PQE employees, such measures can easily be forgotten without processes in place to ensure security gaps are identified and closed immediately,” UpGuard says.
The data exposure was discovered after UpGuard Director of Cyber Risk Research Chris Vickery stumbled upon an open port configured to accept packets at an IP address that “returned a fully downloadable data repository originating from Power Quality Engineering.”
The repository contains folders such as “Clients,” “User,” and “Intuit,” yet the security researchers don’t know its actual size, despite downloading a 205 GB portion of data from it. The issue was discovered on July 6, 2017, and PQE secured its systems on July 8, after receiving notification from UpGuard.
The systems were accessible through port 873, which is used for command line utility rsync (remote synchronization) by default. To secure the data accessible through the port, a network admin would have to restrict the IP addresses that are allowed to access the port, using rsync’s “hosts allow/deny” functions. However, this option can be missed, as it requires an extra step when the utility is configured.
Because of this oversight, the PQE repository was able to be downloaded by anyone connecting to the unprotected IP address. The security researchers even discovered that the “Clients” folder in the main repository includes directories titled with the names of well-known corporations and public-sector organizations in Central Texas, including computer manufacturer Dell, software maker Oracle, telecom carrier SBC, and semiconductor manufacturers Freescale (now owned by NXP) and Texas Instruments, among others.
The exposed data includes reports and infrared imagery of weaknesses in clients’ power infrastructures, which were discovered and evaluated by PQE inspectors. “Such infrared studies and their associated reporting reveal, with high levels of specificity, energy infrastructure inspection results of clients like HealthSouth Rehabilitation Hospital of Austin,” the researchers explain.
One of the discovered folders was found to contain a document labeled “Director of Central Intelligence Directive No. 6/9,” which included details on Sensitive Compartmented Information Facility, or “SCIF”, which are secure rooms used by security-cleared individuals to receive sensitive information. Such rooms were designed in such a manner that external surveillance, eavesdropping, or interception information in the room was as difficult as possible.
The exposed documents revealed the precise location of such a SCIF in a Dell facility in central Texas. “The documents confirm the exquisitely stringent standards for the construction of such a room, complying with TEMPEST-level security standards for any acoustical or radio transmissions, and extending to such detailed specifications as the construction of intrusion-defeating air ducts surrounding the SCIF,” UpGuard notes.
Exposed data for other clients included schematics of solar fields, electrical gap analyses, proposals for future construction, inspection reports of aviation breakers at local airfields, maintenance reports for municipal fuel systems, and a “Hazardous Operations Report,” all pertaining to the City of Austin.
The security researchers also suggest that clients might have been further exposed, considering that a document in the repository’s “User” folder contained a number of plaintext PQE passwords, including at least one password for PQE’s GoDaddy account. The firm’s website could have been accessed and exploited to funnel visitors into a watering hole attack, the researchers suggest.
“The PQE data exposure presents a uniquely varied illustration of the many attack vectors a malicious actor can take in 2017 to exploit the sensitive data of enterprises for their own purposes. Of prime importance, however, is the process error which resulted in the data being exposed in the first place: the configuration of the rsync port to be open to public access,” UpGuard points out.
Related: Solar Panel Flaws Put Power Grids at Risk: Researcher
