Iot at CERN? That’s the Internet-of-Things (IoT) here at CERN, e.g. any random device, not necessarily PCs, laptops, tablets or smartphones, connected to CERN’s General Purpose Network (GPN) – the GPN-of-Things! And why a treasure trove? The Internet-of-Things is known to be unsecured, unprotected and full of vulnerabilities (see for example "Our life in symbiosis", “Your car, my control”, or “Hacking Control Systems, Switching Lights Off!”). The same goes for the devices connected to the GPN: unsecured and unprotected, a playground for hackers and attackers!
At the end of 2016, we performed an in-depth security scan of the CERN GPN*. Unlike before, when the targets had been laptops, PCs, tablets and smartphones, this time we aimed our scan at the “unusual” devices: embedded controllers, web cameras, control systems and any other box with an Ethernet connection. We found an abundance: voltmeters, television screens, oscilloscopes, programmable logic controllers (PLCs), Ethernet-to-whatever converters and power supplies. In addition to this were many private printers, network switches, wireless access points and VoIP phones, despite the fact that the CERN IT department provides central services for networking, telephony and printing. So far, so interesting. But it got worse: many of these devices were using default passwords (“admin:admin” anyone?). Others were running outdated firmware versions allowing attackers to crack the password easily or even bypass the authentication step completely…
So, if you own an embedded device and if you care that this device is functioning properly, make sure that its security posture is up-to-date: replace any default passwords with your own dedicated passwords. Follow the CERN password rules for this. Also, make sure that the firmware is the most recent version. Some of the devices found by us flagged that their current firmware was outdated and that a more recent version was ready for download! If a device is essential for your experiment or one of CERN’s accelerators, refrain from connecting it to the GPN. Instead, check with your experiment or the Technical Network administrators whether your device is a good candidate to be connected there (or to find out about other alternatives)…
*No, the CERN Computing Rules do not allow you to run such scans yourself. Thus, please refrain from doing so.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.