“Rugged environments” such as those in power plants and at military sites are the main area where Rugged OS is used. Source: RuggedComSecurity researcher Justin W. Clarke reports that all systems based on the proprietary Rugged OS use a hard-coded private RSA key to encrypt their secure SSL connections. As recently as April, the same researcher discoveredundocumented backdoors in devices from Siemens subsidiary RuggedComthat are mainly used in power plants, in military environments and in traffic control.
The private key would allow intruders to intercept network traffic that is protected via SSL. The ICS-CERT, which specialises in industrial control systems, has now released an alert to inform the operators of critical infrastructure components of this potential danger. The ICS-CERT says that it is working with the developers and the security researcher to “identify mitigations”. It seems that the researcher didn’t want to repeat his previous effort this time – last time, Clarke notified the Canadian company of the security holes in a confidential report, but the company didn’t fix them for over a year.