Yeah, when I got my 1204X-E I was all excited to fire up Kali Linux and work on my pen testing skills. I figured it would be an easy target. In the end, I’ve still been too lazy to even plug in the Ethernet cable.
Please don't waste any precious development resources unnecessarily hardening networking interfaces. Instead, continue adding function-related features and fix bugs.There is no need to "harden" much anything. Merely to implement a standard as supposed to. Increasing field length to its intended length is a trivial task. Adding support for both passphrase and hex key is also nearly as trivial.
That’s pretty amusing... a Tektronix scope running windows lol
Any malicious modification of measurement values may have serious impact on theDo these people have a clue how scopes are actually used ?
product or service which is created or offered by using this oscilloscope.
Therefore, all procedures which are executed with this device are untrustworthy.
Yes not a clue here. I only spent the last 20 years in defence and financial sectors showing them how to build secure software and architecture. Throw me a technical question if you don't believe me. Literally anything.Fine by me. I guess your heavy emphasize of network isolation as the solution that seemingly makes everything good mislead me. I have heard so many security experts go more for "do all you can" (including network isolation and getting software issues fixed).
Security is about compartmentalising and layering trust. If you can't trust a device you isolate it, which was my point. Then if the little problem appears, the scope of the problem is contained and risks are known. This is part of the policy that your org should have implemented but didn't.The case 2 was more of a communication failure (one worker makes an assumption, nobody confirms it), in a non-critical network. Should not have happened anyway. As a side note, we did get that better isolated sub-network later, because one team was developing low level network stuff, and ended up accidentally DOSing the whole network for half a day once. So they gave us a smaller sub-network to break :P
Go read ISO 27001 and come back enlightened.Nah. We all have our areas of expertise, my hands are already full with other stuff. Others are paid to handle that monster.
Siglent are not at fault here.As the total security of the place where such scope would be used, no. But as having a mistake in their scope's software, Siglent is very much at fault (and the only one who can fix it).
... never let ... install their own devices or bring a USB stick into the building and make that a policy that will get their ass kicked out of the door if they do instantlyMy current company is big enough that there are "divisions" where that is indeed the way (and their network etc. are even isolated from the rest of the company). But also sections with much less critical setup, like ours. USB sticks are allowed, but only "company ones" (which only go outwards if needed), and no BYOD. (Or well, one can e.g. use own unmanaged mobile phone, but then you can't e.g. get work mail/calendar accessed with it.) Though the USB-things are quickly going out of use due to cloud-stuff (and only company controlled cloud is allowed). And some of us install software in our own PCs, simply because the IT support section whose job it would normally be are simply not capable of doing it properly for developers (the support still lives in the age of "one setup fits all"). Most people can still use the default support-provided installs, but many developers can not. All PCs are remote managed/manageable, though, and on regular automatic checks (for certain settings, anti-malware working, and looking for possible unlicensed or blacklisted software).
Edit: also as you're in Finland you are bound by GDPR.Yep. We got couple training sessions for everyone about that. Lawyers going around teaching about it, and discussing with developers about how it could be implemented in practice. Some more training for selected ones. I ended up having to go through the code of couple products to look for needed changes to allow being GDPR compliant with them. All the bureaucratic stuff like supporting information requests/deletions needed some extra functionality added, etc. About one man-year of work. That was the easy part. Getting the customers (i.e. companies using our products who are actually the main responsible party and pay the costs) to react, though, aaargh...
Edit 2: let's not single out Siglent here either. Keysight, Agilent, HP, Tektronix and various other vendors run ancient copies of windows on half their kit. Half of the NHS here in the UK runs on expensive bits of kit (MRI/CT scanners etc) plugged into old bits of crap dangling off Windows XP. When my youngest daughter was born 6 years ago, they had an ultrasound machine with a floppy drive running god knows what (looked like HP/UX of some sort), the machine dated 1997. And they all quite happily amble along without any problems because someone with a clue stick has been at it.All understandable. But I think using Windows XP or such at the time of designing the product could not be considered a clear implementation mistake. I mean there was nobody saying "Choosing to use Windows XP does not implement a standard correctly"...
Dear Siglent,
Please don't waste any precious development resources unnecessarily hardening networking interfaces. Instead, continue adding function-related features and fix bugs.
:-+
That’s not going to happen. There’s literally so few of these out there and hardly any of them are network connected and you’d have to be actively targeted and have your network compromised already which means you have massively bigger problems on your hands.I basically do same job as you.
Also the CPU doesn’t have enough grunt for it to be a decent target. Checked in AWS credentials and stolen credit cards buying GPU instances in AWS is where that class of dickhead is hanging out.
Dear Siglent,
Please don't waste any precious development resources unnecessarily hardening networking interfaces. Instead, continue adding function-related features and fix bugs.
:-+
You won't be saying that after there's a Bitcoin miner and spambot installed on it.
With the proliferation of network devices of questionable origin, I also protect against a threat that this thread hasn't touched on that any of these devices may be the originators of malware themselves.
Already under discussion here:
https://www.eevblog.com/forum/testgear/siglent-sds-1202x-e-network-security-issue/ (https://www.eevblog.com/forum/testgear/siglent-sds-1202x-e-network-security-issue/)
Sorry, I searched briefly but missed the thread. Please direct responses to below!Why bother, it's fake news.Already under discussion here:
https://www.eevblog.com/forum/testgear/siglent-sds-1202x-e-network-security-issue/ (https://www.eevblog.com/forum/testgear/siglent-sds-1202x-e-network-security-issue/)
::)
No it's not fake news , the article is on bleepingcomputers.com
If you are not connecting scope directly to Internet without firewall how is somebody will gain access to it. What is your attack vector?And yet again, the perhaps rare chance of going to do a job in a place where you're not the one with the power to decide how the scope will be connected (or perhaps using WLAN) is being ignored. (The previous longer text of mine already has more about this kind of case.)
If you have malevolent player already inside your private/secure network, you have bigger problems.You do not usually know beforehand who is malevolent. Sometimes you don't even know he got inside.
And no, professionals won't tell you to do as much as you can. They do risk analysis, design protection layers and isolate.Funny how my experiences have been different (granted, my experiences are from the software side, not networking, although we do touch networking things a bit, too). Oh, they do that risk analysis, design protection etc., but they also say to do as much as you can (within limits, no point in throwing 1M€ on security for a webshop that sells 10k€ a year). What I have meant is that even after network is layered, isolated, risks analyzed, you still also e.g. think about your authentication system, and turn off unnecessary services. If layering and isolation should be enough, _all_ the crap services could always be left running as is, right?... So, so wrong.
Nobody cares for your scope. Malevolent players also attack only what is lucrative.If the "nobody cares about your ..." would be a valid argument for low risk in general (it can be in specific cases), I wouldn't need a firewall on my home systems. After all, nobody cares about me (in such malevolent sense), either. Yet this assumption can easily be proven wrong simply by looking at the traffic just outside that firewall. The attackers don't always know what is lucrative until they find it, and some damage gets done while they are searching for it.
Forbid use of hacked software and BYOD, lock USB ports and make sure nobody is surfing funny sites... Do cyber security education for EVERYBODY.Imho, the litany above is already starting to approach the "do as much as you can" and being paranoid :P I mean, doing only couple of those tasks should already be enough, if people behaved and software was without flaws. Because they don't behave and do have flaws, one has to do more, just in case. And it still isn't enough. But, one just tries to make the risks as small as possible, not zero.
And stop being paranoid.
Security teams need to use common sense and help people properly manage the risk, not engage in outrageous "what-if-dinosaurs-attack" scenarios. Put these devices on a lab-only network or an isolated VLAN without access to the network at large or the internet and the risk drops to next to nothing. The device does not need to be a hardened fortress.I don't agree entirely. If a device has a lot of network connectivity some basic security should be in place. It is not beyond reasonable to think these scope can be used to mine crypto currency. Think about a school which has a couple of dozen of these scopes. If files can be transferred onto the oscilloscopes then someone can put a miner on the oscilloscopes. The scopes in itself are not fast but together they can do some hefty number crunching.
As for fake-news, that's exactly what I would call demanding the vendor address the flaw of sending unencrypted scope screens, or the flaw of open access to the controls. Those are design choices that are completely reasonable for the product.
The notice is not *completely* fake.
The notice is not *completely* fake.
Yep.
The people posting here saying "Well my oscilloscope is safe" are missing the point: This is an oscilloscope with web interface, you can bet a lot of these are being connected up so that remote viewing is possible from "outside".
I don't agree entirely. If a device has a lot of network connectivity some basic security should be in place. It is not beyond reasonable to think these scope can be used to mine crypto currency. Think about a school which has a couple of dozen of these scopes. If files can be transferred onto the oscilloscopes then someone can put a miner on the oscilloscopes. The scopes in itself are not fast but together they can do some hefty number crunching.
The notice is not *completely* fake.
Yep.
The people posting here saying "Well my oscilloscope is safe" are missing the point: This is an oscilloscope with web interface, you can bet a lot of these are being connected up so that remote viewing is possible from "outside".
What do you mean from the outside? People access their network via VPN and connect to the scope?
Or they export scope http port to public side of their Internet router, into the wild, in which case they are doing something really, really bad.
And I'm being very polite here.
What you are proposing is just unrealistic. Like other oscilloscopes the more recent Siglent oscilloscopes offer several features which are centered around having network/internet connectivity. Not allowing to use that is not a solution. Back in the old days with test equipment running Windows just because they needed an OS you didn't really need a network connecting to take full advantage of the piece of test equipment. With more modern test equipment that is no longer the case. You need to classify them a IoT devices and treat them as such.I don't agree entirely. If a device has a lot of network connectivity some basic security should be in place. It is not beyond reasonable to think these scope can be used to mine crypto currency. Think about a school which has a couple of dozen of these scopes. If files can be transferred onto the oscilloscopes then someone can put a miner on the oscilloscopes. The scopes in itself are not fast but together they can do some hefty number crunching.That's fine. We don't have to agree. As for the school, I just said, "don't do that". There is no reason the scope needs internet access, or indeed access to anything at all. The scopes can be on an isolated switch for physical access, an unrouted VLAN, or a separate WLAN for wireless. If they are not attached to a network routed to or with firewall access to the internet they are not mining anything. Sure, maybe a read-only vs full access password would be a nice thing, but that's really a feature, not a necessity to have a network port.
But that old Tektronix didn't need network access to work and didn't support Wifi.The article is about the SDS1202X-E.
Oh there is certainly someone out there that does just that. Humans being what they are it's inevitable. That person is also certainly not following any security feeds, news stories of the last two decades, or even really in possession of simple common sense. The rest of us can read this, and take sensible, reasonable precautions based on how it operates.
PORT STATE SERVICE VERSION
21/tcp open ftp oftpd
|_ftp-anon: ERROR: Script execution failed (use -d to debug)
|_ftp-bounce: no banner
23/tcp open telnet Pocket CMD telnetd
80/tcp open http ChipPC Extreme httpd (WinCE 6.00)
|_http-favicon: Unknown favicon MD5: 5415808C5657E45613A4D0A6BD75D0CD
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: MSO-X 3104T Oscilloscope
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 395180 1 49154/tcp
|_ 395183 1 49154/tcp
443/tcp open tcpwrapped
5850/tcp open unknown
5900/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| None (1)
|_ WARNING: Server does not require authentication
49154/tcp open rpcbind
| rpcinfo:
| program version port/proto service
| 395180 1 49154/tcp
|_ 395183 1 49154/tcp
What you are proposing is just unrealistic. Like other oscilloscopes the more recent Siglent oscilloscopes offer several features which are centered around having network/internet connectivity. Not allowing to use that is not a solution. Back in the old days with test equipment running Windows just because they needed an OS you didn't really need a network connecting to take full advantage of the piece of test equipment. With more modern test equipment that is no longer the case. You need to classify them a IoT devices and treat them as such.
What bothers me here is that somebody decided to single out Siglent like they are some bad guys. ALL the scopes are insecure devices.
The password hashes are hardcoded and are difficult to change for the end user because the “shadow” file is stored on a cramfs (intentionally write-only) file system.
Has anyone managed to log into the root account of such a scope - with any of the official firmwares, that is?
...
Anyway, no matter what the answer is, most likely we'll now see something happen what usually happens in such cases: thanks to some lurid headlines, Siglent will be pushed to change a few little things and all the hackers out there will face some new challenges... ;)
write-only. Signetics 25120Darn! Now I have to start bitching too! The Signetics 25120 dates back to 1974! I haven't realized that Siglent fits such old and obsolete chips into their gear!
write-only. Signetics 25120Darn! Now I have to start bitching too! The Signetics 25120 dates back to 1974! I haven't realized that Siglent fits such old and obsolete chips into their gear!
At least it seems that WOMs (Write Only Memories) haven't been much of a success ever since. ;)
...What bothers me here is that somebody decided to single out Siglent like they are some bad guys. ALL the scopes are insecure devices.
And login is also known. Also for all other scopes. Wintel ones even worse. So it's not fake news. But it is singling out one manufacturers and blowing things out of proportion.
At least it seems that WOMs (Write Only Memories) haven't been much of a success ever since. ;)The software version, /dev/null, has been very popular in UNIX and copycats for many years.
That is old style thinking. In this day and age that is no longer true. People just drool over stuff they can control with their phones and manufacturers know that all too well so they add it to have an edge.What you are proposing is just unrealistic. Like other oscilloscopes the more recent Siglent oscilloscopes offer several features which are centered around having network/internet connectivity. Not allowing to use that is not a solution. Back in the old days with test equipment running Windows just because they needed an OS you didn't really need a network connecting to take full advantage of the piece of test equipment. With more modern test equipment that is no longer the case. You need to classify them a IoT devices and treat them as such.IOT devices are by definition connected to Internet in the wild and without Internet connection have no reason to exist..
Scopes ARE NOT Internet, but LAN devices. Scopes are not IOT devices, nor they are supposed to be. If some people are misusing it that way, that is not scope's problem.
That is old style thinking. In this day and age that is no longer true. People just drool over stuff they can control with their phones and manufacturers know that all too well so they add it to have an edge.
But what is the purpose envelope exactly? If there was no use or desire for internet connectivity (web access) then it wouldn't be on there. Apparantly (unlike you) many other people do feel internet connectivity is useful to them. Which means the purpose envelope has shifted.That is old style thinking. In this day and age that is no longer true. People just drool over stuff they can control with their phones and manufacturers know that all too well so they add it to have an edge.What does it has to do with oscilloscopes?
No that is security industry thinking. I don't care for people that shoot themselves into the foot.
Oscilloscope is perfectly secure device when used as a scope. Once you start using anything outside it's purpose envelope, you're on your own.
But what is the purpose envelope exactly? If there was no use or desire for internet connectivity (web access) then it wouldn't be on there. Apparantly (unlike you) many other people do feel internet connectivity is useful to them. Which means the purpose envelope has shifted.That is old style thinking. In this day and age that is no longer true. People just drool over stuff they can control with their phones and manufacturers know that all too well so they add it to have an edge.What does it has to do with oscilloscopes?
No that is security industry thinking. I don't care for people that shoot themselves into the foot.
Oscilloscope is perfectly secure device when used as a scope. Once you start using anything outside it's purpose envelope, you're on your own.
There is no, repeat no internet capability for SDS1202X-E, zip, zero.But what is the purpose envelope exactly? If there was no use or desire for internet connectivity (web access) then it wouldn't be on there. Apparantly (unlike you) many other people do feel internet connectivity is useful to them. Which means the purpose envelope has shifted.That is old style thinking. In this day and age that is no longer true. People just drool over stuff they can control with their phones and manufacturers know that all too well so they add it to have an edge.What does it has to do with oscilloscopes?
No that is security industry thinking. I don't care for people that shoot themselves into the foot.
Oscilloscope is perfectly secure device when used as a scope. Once you start using anything outside it's purpose envelope, you're on your own.
Scopes ARE NOT Internet, but LAN devices. Scopes are not IOT devices, nor they are supposed to be. If some people are misusing it that way, that is not scope's problem.
You might as well take your central SQL database of the bank, connect it directly to public Internet and then bitch to manufacturer of SQL server about how their crappy database is not properly secure because people read your data.
It is not about this model or manufacturer but about modern oscilloscopes in general.Then a new test equipment internet security thread is appropriate so members with other brands can chime in with their experiences and checks.
this thread is about the SIGLENT scope which has no use for internet access nor access to ANY other network resource at all. The remote operator connects to it. That is all.Quite obviously this scope (and other ones) have good use for network connection - their Ethernet port is there for a reason. And since it seems to run Linux (as do quite some other scopes), as soon as you can run your own code on it, _this code_ can access the network.
this thread is about the SIGLENT scope which has no use for internet access nor access to ANY other network resource at all. The remote operator connects to it. That is all.Quite obviously this scope (and other ones) have good use for network connection - their Ethernet port is there for a reason. And since it seems to run Linux (as do quite some other scopes), as soon as you can run your own code on it, _this code_ can access the network.
Its not about the regular or intended use case. Such problems are about _whats possible_. You know, all the insecure IOT devices everybody ios screaming about also have no use case of accessing other network resources in your local network. But when they are broken into, they serve as happy jumping point into your network, just because they can.
Exactly and since many scopes on today's market seem to run on the Xilinx Zync software platform these oscilloscopes are likely vulnerable to the same attack vectors.this thread is about the SIGLENT scope which has no use for internet access nor access to ANY other network resource at all. The remote operator connects to it. That is all.Quite obviously this scope (and other ones) have good use for network connection - their Ethernet port is there for a reason. And since it seems to run Linux (as do quite some other scopes), as soon as you can run your own code on it, _this code_ can access the network.
Its not about the regular or intended use case. Such problems are about _whats possible_. You know, all the insecure IOT devices everybody ios screaming about also have no use case of accessing other network resources in your local network. But when they are broken into, they serve as happy jumping point into your network, just because they can.
And you think that all LANs out there are not connected, somehow, to the Internet? Welcome to the real world. Even the separated test networks mentioned before were, quite sure, somehow connected to the regular corporate network and then to the Internet. It might not be a connection you know about, but just for management by corporate IT they usually never have truly disconnected networks. (So far I have heard of exactly one instance of truly disconnected, by air-gap, public and internal networks - and they were just paranoid about their security).
Exactly and since many scopes on today's market seem to run on the Xilinx Zync software platform these oscilloscopes are likely vulnerable to the same attack vectors.this thread is about the SIGLENT scope which has no use for internet access nor access to ANY other network resource at all. The remote operator connects to it. That is all.Quite obviously this scope (and other ones) have good use for network connection - their Ethernet port is there for a reason. And since it seems to run Linux (as do quite some other scopes), as soon as you can run your own code on it, _this code_ can access the network.
Its not about the regular or intended use case. Such problems are about _whats possible_. You know, all the insecure IOT devices everybody ios screaming about also have no use case of accessing other network resources in your local network. But when they are broken into, they serve as happy jumping point into your network, just because they can.
Replacing that with a well known, shared password seems like a poor choice.
Of course after modifications are done everyone change this OSV_wellknown back to original genuine OSV, after then who ever can try brute force it for get door open.Good point. My thought process had not progressed that far :)