Security Experts:

Hardcoded Credentials Expose SICK Controllers to Remote Attacks

A researcher has discovered that remote hackers could reconfigure or disrupt MSC800 modular system controllers from Germany-based sensor maker SICK due to the existence of hardcoded credentials.

The affected controllers, which according to the U.S. Department of Homeland Security (DHS) are used worldwide, particularly in the critical manufacturing sector, are affected by a critical vulnerability tracked as CVE-2019-10979.

SICK controller

The issue is related to the existence of hardcoded credentials in the firmware of affected products, allowing a low-skilled attacker to remotely reconfigure the controller’s settings or disrupt its functionality.

In an advisory published recently, SICK said it was not aware of any public exploits specifically targeting this vulnerability.

The hardcoded credentials exist in MSC800 controllers running versions of the firmware prior to 4.0, which patches the flaw.


Learn More About Flaws in Industrial Products at SecurityWeek’s 2019 ICS Cyber Security Conference

According to SICK, version 4.0 of the firmware allows users to change the default password and prevent configuring the device over network interfaces, which can be particularly useful for critical infrastructure organizations.

“As general security measures, SICK recommends to minimize network exposure of the devices, restrict network access and follow recommended security practices in order to run the devices in a protected IT environment,” SICK said.

Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) has been credited for finding and reporting the vulnerability to the DHS’s National Cybersecurity & Communications Integration Center (NCCIC).

Related: Two Vulnerabilities Expose Rockwell Controllers to DoS Attacks

Related: Flaw in Schneider PLC Allows Significant Disruption to ICS

Related: Flaw Exposes Mitsubishi PLCs to Remote DoS Attacks

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.