Digital Oscilloscope Comes with Backdoor Accounts, Old Software Components

Some digital oscilloscopes that can communicate over the network fail to provide a minimum of security protections and allow unfettered access to unauthorized users.

Oscilloscopes are laboratory instruments that can measure how an electrical signal changes over time by showing a waveform representation. They are widely considered the center of an electronic lab bench since they are useful to any professional doing repairs on electronic gear. So tampering with the values it measures can do a lot of damage, especially in production environments.

Telnet service up and running

The product analyzed by security researchers at SEC-Consult is the SDS 1202X-E Digital Oscilloscope from Siglent, running firmware version 5.1.3.13. Among the faults they found were two hardcoded backdoor accounts: ‘root’ and ‘siglent.’

The device has Telnet service turned on and listens on the default TCP port 23. Connecting to the oscilloscope this way grants root access to an attacker on the local network.

SEC-Consult discovered the two accounts in the “/etc/shadow” directory by connecting to the oscilloscope via the UART interface. To avoid potential abuse of vulnerable devices in production environments, the security advisory does not disclose the password hashes for the accounts.

Changing the password hashes would solve this problem, but the operation is a complicated one because they are stored in a compressed ROM file system (cramfs), which is read-only.

Access without authentication

Another issue with the SDS 1202X-E oscilloscope is lack of authentication for access via the EasyScopeX software, a program that allows users to retrieve the waveform data and manipulate it to isolate particular signals.

“It is sufficient to install the “EasyScopeX” software and control the oscilloscope without any authentication,” the researchers say in their advisory.

EasyScopeX interface

These are just the critical security bugs in the SDS 1202X-E instrument. SEC-Consult informs that the product does not encrypt its communication over the network and relies on outdated, vulnerable components: BusyBox 1.20.1 released in 2012, GNU glibc 2.13 released in 2011, and Linux kernel 3.19.0 from 2015.

Reaching out to the vendor

The researchers tried to reach out to the vendor through VDE CERT for coordinated disclosure but received no reply. Efforts did not stop at this, though.

Siglent is headquartered in Shenzen, China, but it has offices in North America and Europe (in Hamburg, Germany). The research and development locations are in China.

On September 12, the VDE CERT communicated the advisory to a US salesperson in the US, to forward it to Siglent engineers. This attempt was also unsuccessful, as the US contact said they forwarded the information to the VP of Engineering and received no reply.

The risks associated with the vulnerabilities in the SDS 1202X-E line of digital oscilloscopes are limited to the local network. However, they should not be neglected, especially in a production environment, since anyone connected to the LAN can access the device.

It is recommended to use LAN communication only in trusted networks or to disable this capability if not needed. Another workaround is to use the UART interface to place a script that closes Telnet communication port during the boot sequence if it is not used.