back to article It's nearly 2019, and your network can get pwned through an oscilloscope

Administrators overseeing lab environments would be well advised to double-check their network setups following the disclosure of serious flaws in a line of oscilloscopes. On Friday, SEC Consult said it had uncovered a set of high-impact vulnerabilities in electronic testing equipment made by Siglent Technologies. In …

  1. Brian Miller

    This is your oscilloscope...

    and this is its network port. This is a tube of glue. The twain shall meet.

    And the network cable shall not ever be inserted...

    This is up there with the fish tank thermometer that allowed access to a hotel's internal network.

    1. bombastic bob Silver badge
      Devil

      Re: This is your oscilloscope...

      Yeah Siglent o-scopes are pretty nice feature-wise, but they're kinda "low end" on pricing and some of the overall construction and physical appearance reflects that. You get what you pay for, sometimes.

      In this case, it's probably an inexpensive [but highly functional] piece of test equipment with an 'IoT' feature that has the same *kinds* of security problems you find in IoT devices. I'd guess that's because the people who designed it aren't computer people, they're more like IoT people. And I guess computer people are expensive or something...

      I've got an older Siglent o-scope without 'teh entarweb' features, does what I want etc.. I bought it based on price vs features. No complaints.

      Considering IoT makers need o-scopes, having an IoT-like feature was probably good for marketing. Not so good in implementing.

      1. Anonymous Coward
        Anonymous Coward

        @bombastic bob - Re: This is your oscilloscope...

        As if developers who are computer people were not bad enough at security already, we have this new low.

  2. Anonymous Coward
    Anonymous Coward

    Bigger problems here?

    How did "they" get on to the network in the first place? It's unlikely to be on a public facing connection.

    1. Paul Crawford Silver badge

      Re: Bigger problems here?

      Lets face it, your development lab should be pretty much fire-walled off (or even air-gapped) from the rest of the world anyway as you have no idea what will be on it. Not necessarily malicious, but while developing products and messing about there is a very high chance of dumb shit happening and you don't want that leaking (or even as simple as IP address conflicts).

      1. Pascal Monett Silver badge
        Trollface

        Oh, stop being intelligent. They obviously weren't.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bigger problems here?

        "Lets face it, your development lab should be pretty much fire-walled off (or even air-gapped) from the rest of the world "

        One of the big selling points of having a scope able to be networked is to allow it to connect to your normal workstation. The big guys tout the ability to monitor long-running tests remotely (as in sit in your cushy chair at your desk, coffee in hand, instead of out on the noisy lab or factory floor with necessary safety and ESD restrictions). Even if its as simple as doing a screen grab of a waveform, that's much easier over Ethernet than the archaic alternatives most scopes provide. I'm not saying it belongs on a globally-routable IP, but there are decent reasons for not air-gapping from the production network.

        The other plus to an Ethernet port is that it can be easier to work with on automated tests. GPIB cables are bulky, inconvenient, and expensive when compared to an Ethernet cord.

    2. vtcodger Silver badge

      Re: Bigger problems here?

      "It's unlikely to be on a public facing connection."

      IPv6 will fix that

  3. Martin Gregorie

    Why is insecurity 'inevitable'?

    Subject says it all. It doesn't seem so inevitable to me.

    Given that many of the light-weight realtime OSes you might find running instruments such as oscilloscopes often have little security [1], an obvious, simple and cheap way to secure the instrument would be to fit, say, a RaspberryPi model B inside a spare corner of the case and use it as a built-in network front end. For very little money this would provide a firewall and a reasonably capable login mechanism in addition to acting as a GUI for the 'scope. As a bonus it could also buffer and queue output sent networked printers and plotters or support one or two USB connections to local devices.

    [1] I used Microware's OS/9 for several years. Its a capable and very reliable OS both for desktop and realtime uses, but security? not so much apart from a login and file permission bits which are there as much for keeping the idly curious out and protection against fat fingering: you can easily run it in single user mode if you want. In this I don't think its all that different from any other small realtime OS.

    1. Wellyboot Silver badge
      Happy

      Re: Why is insecurity 'inevitable'?

      @Martin

      OS9 - memory cells jogged!

      That was my intro to C back in the 80s. doing realtime hardware stuff. Happy days when computer security meant locking the door.

    2. Anonymous Coward
      Anonymous Coward

      @Martin - Re: Why is insecurity 'inevitable'?

      You're absolutely right but that requires competent people which are hard to find so insecurity is inevitable.

      1. jake Silver badge

        Re: @Martin - Why is insecurity 'inevitable'?

        Competent people aren't hard to find. What is hard is convincing the bean counters that they are worth paying.

        1. pɹɐʍoɔ snoɯʎuouɐ

          Re: @Martin - Why is insecurity 'inevitable'?

          The bean counters should be packed onto the B ark.....

          They just dont see the benefit of getting a job done right to start with. they have a choice.. they pay someone competent to develop a network interface for said bit kit. To do the job properly its going to cost say 7 figures. They pay up and then the products works perfectly and never has a problem, no security issues.

          next time around, said bean counters nephew says " you can just throw wifi module you can buy off the shelf for 50p each from some Chinese distributor with a few lines of code and a 3p write once micro controller from the same distributor, I can write your code for a few quid, plus I will feed some of that fee back to you....,

          which one gets the job? which one should get the job?

          the thing is, 2 years down the line, some info-sec bod finds a gapeing hole in the security . they withdraw the product off the market, modernise the case, buy a different network module, release the same product again, but bump the price, sell the same product to the same customers (with a little discount)

          now which one will the bean counter go with?

    3. vtcodger Silver badge

      Re: Why is insecurity 'inevitable'?

      "RaspberryPi model B inside a spare corner of the case and use it as a built-in network front end. For very little money this would provide a firewall and a reasonably capable login mechanism"

      That'd likely work. For that matter, the scope's OS clearly has some sort of TCP/IP stack running. It may be that all it needs is proper configuring. And maybe for lab equipment it's worth the cost of hiring a network professional to secure the equipment or of training someone in the lab. (Although setting up a proper firewall and all isn't all that easy and a Chemist, Engineer etc pressed into service as a network engineer is likely to make securty mistakes that no one will notice). But none that solves the general problem of configuring network connected home routers, toothbrushes, bathroom scales, light bulbs, etc.

      Aside from which, I suspect that many lab folks are going to feel that having to log into their oscilloscope (using what input device?) is a requirement imposed by a deranged mind. I'm not all that sure they would be wrong.

  4. Kevin McMurtrie Silver badge

    Luckily, I can't afford a nice oscilloscope until it's 40+ years old. I'm feeling pretty tech savvy because my current one uses silicon semiconductors. Maybe Ethernet jacks are gone by the year 2058.

    1. Mike Pellatt

      Silicon semiconductors in your oscilloscope ????

      Pah. Young whipper-snapper. My first one was a Heathkit, with real valves ("tubes" to our transatlantic brethren). Xmas pressie from my parents.

      They were both down with the 'flu that Christmas, so I had it built and running by Christmas Night :-) (This is why I remember it so well...) (And yes, I was an only child and no-one else from the family was over that day....)

      Surprisingly, it didn't have a network port either.

      I wonder if anyone's tried to pwn netiwork analysers ?? That would be even more fun...

      1. jake Silver badge

        Dad built an OM-2 before I was born. The two of us built my IO-12 in 1967, and I built a IO-105 in 1973. All three still work (I've replaced caps and a few tubes through the years).

        It's tubes, not valves. Do you watch the valve or the tube? Do you say "electron valve", "vacuum valve" and "cathode ray valve"?

        I rooted a sales-droid's Network General Sniffer while he was delivering his sales pitch to my Boss in about 1989.

        1. John Sager

          It's a valve, as that is its function. In the same way you have it better with rail(way|road) switches, rather than points. Why points? Unless they were thinking of the pointy ends to the rails.

          1. Mike Pellatt

            They point the train in the right direction ??? <shrug>

            I'm really, really, really not going to get into a debate over the two versions of English.

            It is what it is. Neither is right. Neither is wrong.

            They're valves to me, and I'm quite happy with them being tubes to you.

            Courgettes to me, zuchini to you.

            Aubergine to me, eggplant to you.

            etc. etc. etc.

      2. adam 40 Silver badge

        You were lucky!

        Heathkit scope for christmas? You were spoilt.

        My first 'scope was an old black and white TV set, took off connections to the vertical coil out of the back.

        Got my first 20kV jolt of that one, too.

  5. Phil Endecott

    I thought it would be cool to have a ‘scope with a network port so that I could print screenshots to a networked printer.

    Then I actually tried to do it. It was a nightmare to set up, not least because the thing didn’t have a qwerty keyboard.

    So I unplugged the network and took pictures of the screen with my phone.

    1. steelpillow Silver badge

      "So I unplugged the network and took pictures of the screen with my phone."

      Used to use an old Polaroid instant film camera with special adapter hood.

      Sysadmin went nuts. "Not what we are here for" blah blah.

      But he insisted on being the only one who could set up network connections, because self-promotion security. He was a backroom admin, not routinely allowed on customer premises, so we explained that it was the only non-network option available and told him we needed a consistent presentation style in our reports (Pritt stick and photocopier).

      After a bit he came back whining about digital backups. "OK, if you want to scan and archive everything, the roomful of filing cabinets is over there".

  6. Adrian 4

    FFS

    I take it the investigators had never actually tried to use an oscilloscope, or they'd have a bit more of a clue when suggesting that the measurements might be compromised by connecting to it.

    Yes, theoretically they could. In practice, they'd have to guess from the screen contents (captured and transmitted up the ethernet connection, thus either slow signals only or non-real-time), modify the settings (which also show up on the screen, so changing them is visible as well as the effect it has on the real display) without alerting the user, or else modify the image he sees by writing it back to the local screen device, in such a way that he makes incorrect decisions and errors in his design.

    This is somewhat more difficult than grabbing an endoscope image and modifying it so that the surgeon removes the wrong organ. Ain't gonna happen, because the artifacts of the manipulation will cause the surgeon to discard the instrument long before he makes any use of the images.

    Apart from this completely unrealistic scenario, what is the threat from a pwned oscilloscope on the network ? At best a staging post from which to launch further attacks - but if you already have network access, that's not a lot of gain.

    Finally, why pick out Siglent for this ? A very low-end brand using linux or some proprietary RTOS for the display. Better to pick on a high-end Tek or Keysight scope running an unpatched out-of-date copy of Windows.

    1. stiine Silver badge
      Facepalm

      Re: FFS

      Why in hell would they need to know what the screen is displaying? All they have to do is add a small +- random value, generated each time you turn it on or after 24 hours, to every reading that gets displayed/printed/logged/etc, and viola, your osciloscope is useless and your products are going to be garbage.

      1. Paul Crawford Silver badge

        Re: FFS

        Really, if you have someone on the inside of your network then messing with a scope is not going to be the most productive way of causing chaos, not by a long chalk.

        1. John Brown (no body) Silver badge

          Re: FFS

          "Really, if you have someone on the inside of your network then messing with a scope is not going to be the most productive way of causing chaos, not by a long chalk."

          I guess that depends on what damage you want to cause and how subtle and unobtrusive you want to be. It;s not as if the black hats are trying to destroy uranium separation centrifuges over a long period of time in a way so as to remain undetected for as long as possible, thus slowing down, almost halting, the entire system and probably costing the victims $millions.

        2. katrinab Silver badge
          Black Helicopters

          Re: FFS

          If you want to do stuff without being noticed, that is the sort of place you would work from.

          1. Danny 14

            Re: FFS

            in the world of espionage you want to gain access to areas without appearing to be able to do so. A junior using an oscilloscope might fit the bill. Just another attack vector.

      2. Adrian 4

        Re: FFS

        @stiine

        No, that will have no effect at all on the company's products. It will just result in a few hours of frustration for the user of the equipment, followed by an attempt to recalibrate it to fix the random errors, followed by putting it at the back of the cupboard while a decent replacement is purchased.

        Clue : Oscilloscope readings are not used in isolation with their effects cast forever into a design. They're one of many things used to help see what's going on and contribute to a result.

        The one area it might have an effect is if the scope is used to implement some production margin tests. There, it might (if you knew *exactly* how it was used), either fail too many products (causing some extra costs until the reason for more rejects was investigated) or pass too many (causing a possible problem for a customer and maybe, if enough 0.1% probabilities in a line came out badly, some loss of reputation).

        If you replaced the ink in a company's biros with fast-fading 'secret' ink, do you think it would bring the company to it's knees ? Or just cause some minor inconvenience until somebody worked it out ?

    2. Mike 137 Silver badge

      Re: FFS

      @Adrian4

      I entirely agree with your position, and would add - why is anyone going to control an oscilloscope remotely over any distance greater than the length of a bench and so by implication on a single network segment? You've got to be able to see the device under test and the oscilloscope screen!

      Consequently the fact that the interface is not barricaded against cyber attack is pretty trivial. All my Ethernet connected test gear has "insecure" TCP/IP connectivity, but I have an isolated segment in the lab and nothing there touches the outside world.

      There's a strong possibility that folks who report bugs like these are having a quiet day. They'd be better off sticking to the huge array of ludicrously insecure devices that perforce connect to the web - aka IoT.

  7. jake Silver badge

    I dunno about all y'all ...

    ... but when I set up an R&D lab, the network is airgapped. Not just from the outside world, but from the rest of the company as a whole. There are some networks that you really, really don't need or want to be available from the outside. For a lot of reasons.

    Yes, I know, some damn fool of a manager will probably find an excuse to have access to the R&D network from his/her desk, but that's out of my control & happens AFTER the company in question signs off on my design and implementation. Sometimes I even get paid to fix it after said dimwit manager breaks it.. heat wan't broken when I

    Non-R&D test equipment doesn't need fancy stuff like network capability in the first place. Neither does most R&D equipment, but what with people thinking autonomous vacuums should have Internet connections, cameras and microphones these days, who is going to listen to me? It's ugly, but it's a living.

  8. Anonymous Coward
    Anonymous Coward

    Do these people have any idea how an oscillioscope is actually used?

    I can see the point about it potentially, somehow, maybe, being a point of compromise on the wider network. But the idea that someone could somehow gain anything useful from spying on a random oscilloscope, or somehow ingeniously altering its output, is laughable.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Credas

      "the idea that someone could somehow gain anything useful from spying on a random oscilloscope"

      Well, Target was pwned via its air-conditioning unit. I'm personally thinking you could use this to inject other systems - no one would suspect the scope - or infect it, wait for it to be transferred to another lab and then mess with stuff on that network.

      Just use your imagination.

      C.

    2. Jellied Eel Silver badge

      Re: Do these people have any idea how an oscillioscope is actually used?

      [quote]But the idea that someone could somehow gain anything useful from spying on a random oscilloscope, or somehow ingeniously altering its output, is laughable.[/quote]

      Define useful? And it's not just scopes. So it may be some other bit of kit with network based datalogging. Owner gets to peruse the data, so might competitors. Or maybe you could just waste time & money by messing with the calibration so it isn't. Like most security, it's all about trust, and a most of the time, you really want to be able to trust your test kit.

  9. Dwarf
    Joke

    So you could say that there is scope for improvement in the Siglent software

    1. Anonymous Coward
  10. David Shaw

    stuxnet/duqu

    after my lab was hit by a probable olympic-games family of malware, my Tektronix RSA 3408A was spontaneously upgraded to a Tek 3408B with a snappy new motherboard without the expected $75000,

    nice of them!

    I currently use mainly Yokogawa oscilloscopes/ScopeCorders as they are not Windows based

    1. bombastic bob Silver badge
      Facepalm

      Re: stuxnet/duqu

      Tektronix was using WINDOWS? ew... [got any BSOD screenshots?]

      /me verifies that model number - an expensive spectrum analyzer, with windows XP OS? <facepalm>

      I guess the coolaid tasted pretty good, back then...

      1. Howard Long

        Re: stuxnet/duqu

        I have a 1GHz HP/Agilent/Keysight Infiniium mixed signal scope in the lab from about 2003 running XP although there were earlier editions of the same scope running Windows 98. An equivalent new scope today (with equivalent options such as deep memory and serial triggering) would be around $20,000.

        The equivalent higher end scopes today still run full fat Windows, I think it’s still Windows 7. The low to mid range run Windows CE.

        The top end scopes go for same price as a house,

        1. Data Mangler

          Re: stuxnet/duqu

          Keysight (previously Agilent/HP) recently announced a 110 GHz scope costing over a milliion. That's probably several streets of houses in some places.

  11. jake Silver badge

    I found a friend with one of these things.

    Firmware version 5.1.3.13

    Default "root" telnet login, with no password, giving you access to BusyBox 1.20.1 (released May 2012) running on Linux kernel 3.19.0 (February 2015; EOL May 2015) ... And glibc 2.13 (January 2011).

    The shadow password file is stored on a cramfs (lovely).

    Sounds like an accident waiting to happen. We installed a script to turn off telnet on boot (can re-enable it with a dumb terminal, if needed). The machine will not see an Internet connected LAN until (if!) the manufacturer issues an update.

  12. Howard Long

    Still plenty of XP and Windows 2000 scopes

    There is still plenty of high end test equipment about running Windows XP, 2000 and even 95/98 with ethernet ports.

    The simple reason is that new hardware replacements for high end gear are several $10k or $100k.

    The problem is that high end test equipment has a useful lifetime far beyond your average PC, measured in decades, not years.

    Adding any OS with network capability to any hardware with little or no upgrade path inevitably builds in obsolescence, unless you don’t plug it in.

  13. The Original Steve

    More common than you think

    Worked in a crisp factory years ago as their Infrastructure guy.

    The lab wanted a new microscope for QA which has an ethernet port and some "server" software to run on the client PC.

    One unique requirement was that QA wanted the output text files - which were stored locally by default - to be sucked up by the ERP system.

    Salesman assure the buyer that we can just SMB into it and pickup the file. He hinted that it was just Windows underneath too.

    So I had a look about how to secure the SMB share or to see if I could have a script on it which uploaded the output file to our ERP inbound file share, and peeked under the hood.

    It was running Windows 95, had no security at all and amazingly also had a telnet server running on it without any authentication at all.

    This was in 2012, and the microscope cost many tens of thousands of pounds.

    When QA said they were thinking of buying more of them I tried to raise objections, which obviously fell on deaf ears.

    In the end I put them on their own VLAN and firewalled them off. Best I could do without "invalidating the warranty".

  14. Ken Moorhouse Silver badge

    IEEE-488

    Reading thse comments reminds me that the most modern 'scopes I came across had IEEE-488 interface connectors on them. Seemed pretty versatile at the time (well, bearing in mind the chunky cables and the maximum cable length). Whatever happened to that connectivity method?

    1. An nonymous Cowerd

      Re: IEEE-488

      still used in my calibration lab for a scientific project,

      GPIB is reliable and is fairly easy to programme in LabView

      I just bought $10K of hp/agilent/keysight PSUs (four) in order to GPIB a one second (six kilowatt) flash from rather a lot of LEDs. They should be arriving today!

  15. Paul Uszak
    Mushroom

    The Rigol 1054 is one of the most popular scopes in the DIY space. It's brilliant for the price of ~£370. And it's wide open at the back too. No authentication at all, helped along with automatic DHCP so all one need do is to shove a network cable up it's ass and it's on line.

    You get full remote control of the scope, as well as total access to the sampling data. So you can read the wave forms from my little circuits. Great! The real issue is that this is a powered and networked computer with no sign on whatsoever. It may already be the case that it can be made to execute code remotely, due to some bug in the LXI command interface. What if you then can load malware onto it via Ethernet? Could you simply brick it for a bit of fun, or use it as a clandestine staging post for further exploits? Stuxnet-LXI perchance?

    My nightmare is that my oscilloscope might be taken over and connect with my on-line wine chiller...

  16. Anonymous Coward
    Anonymous Coward

    Horrible workplace security

    My boss has a completely /unprotected/ piece of paper on hix desktop. Literally /anybody/ who has access to my workplace could walk up to that desk and write on that piece of paper. Not only that, they could /use that piece of paper/ to send bomb threats or to implement man-in-the-middle communications hacking.

    I've.tried to warn him, but he just doesn't care.

    1. An nonymous Cowerd

      Re: Horrible workplace security

      @AC under reasonable security rules, as I was taught them, as I left the office (locking it) , I would have tidied up the desk, locked all the loose paperwork AND the test-equipment hard-disks in the reliable office safe. That was the life. Also if I forgot to unplug the soldering iron I would similarly be sacked.

      In my current lab we just lock a backup copy of critical data in the office safe, for fire recovery purposes (allegedly a fireproof data safe) and there are mountains of paperwork everywhere and we give all data away, openly - but some places will have very clean desks so your fiendish paper-based master-plan has flaws!

      Check how many serious test-eqpt vendors provide extractable HDDs, at extra $$$, of course

    2. Francis Boyle Silver badge

      Is it company letterhead

      and has he put his signature at the bottom?

  17. Data Mangler

    This will upset a lot of people

    If Siglent block this hole it will upset a lot of people. These scopes are sold with a variety of bandwidths and features. The hardware is the same in each case. The backdoor is used by many as a means of hacking into the scope to obtain a free upgrade from a cheap entry-level version, although I believe Siglent have been trying to make that more difficult lately. Head over to the eevblog for more details.

  18. Christian Berger

    It's actually not that relevant

    Those LAN ports are barely ever used at all, and if they are used they are used with a second network card. After all the LAN port is just a cheaper way of running GPIB to a PC.

    And seriously, if a single device on your network can own the whole network, you have seriously messed up.

  19. 0laf
    Holmes

    So the attacker already has physical access to your network. You're in a bad place anyway.

    Hacking the oscilloscope probably isn't next on their agenda with that access.

    So a nice unsual vulnerability but probably not very important. If you're running a high assurance network I would hope you'd be examining every bit of network aware kit coming in and making appropriate descisions regarding their use.

  20. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like