Notes in response to the statement of Ecos to our security analysis of the Ecos Secure Boot Stick (SBS)

Prof. Dr.-Ing. Guenter Schaefer, June 15th 2018

In response to the statement by the company Ecos Technology GmbH dated June 14th 2018 to our security analysis of the Ecos Secure Boot Stick published June 13th 2018 we would like to add the following notes.

1.

The company writes under point "1.) Alleged “backdoors” via SSH Root Access" that the uncovered SSH root logins

are destined for manufacturer maintenance purposes, but must be
explicitly authorized in the management by our customers. As 
these are documented features of our products and since ECOS has 
no access unless the customer expressly authorizes it, we wonder 
why the authors label it as a “backdoor” or a “security risk”.

This statement is technically incorrect, because in Management Appliance V5 only the SSH login for the users "remotesetup" and "remotebackup" may be activated or deactivated. According to our analysis the user "root" is always activated in SSH configurations of both management appliance and Secure Boot Stick, as described in sections 2.1 and 2.9 of our security analysis (including explanations how these vulnerabilities can be reproduced).

In the product documentation available to us (ECOS System Management Appliance V5, revision 0111 of December 2017, in German language) a potential "root" account is only mentioned in section 3.4.5 (the following paragraph is translated from the German version by Google translate with minor additions for better readability marked in "[]", as we do not have an English version of the manual at our disposal):

In the "Local Maintenance" tab, the settings for the local
Maintenance access [can be] configured. A tick at "Password for 
console enable "enables the user-defined password for login at the 
console. The registration takes place with the user name "setup". 
If no password is set, the default password is "bb5000". In any 
case,  no shell or root access is possible through the console, 
but only to a menu, the basic maintenance tasks such [as] [...] 
setting the IP address or sending a ping etc., [are] allowed.

(translated from section 3.4.5 of the above mentioned German manual) The original German version is:

Im Reiter „Lokale Wartung“ werden die Einstellungen für den 
lokalen Wartungszugang konfiguriert. Ein Haken bei „Kennwort 
für Konsole aktivieren“ aktiviert das benutzerdefinierte 
Kennwort für die Anmeldung an der Konsole. Die Anmeldung 
erfolgt mit dem Benutzernamen „setup“. Ist kein Kennwort 
gesetzt, lautet das Standardkennwort „bb5000“. In jedem Fall 
ist über die Konsole kein Shell- oder Root-Zugang möglich, 
sondern nur zu einem Menü, das grundlegende Wartungsaufgaben, 
wie z. B. Setzen der IP-Adresse oder Senden eines ping etc., 
erlaubt.

Searching for the word "root" in the PDF file of the German manual does not yield any further hits, so that we can not follow the reasoning in the statement published by Ecos. However, in case that we have overlooked a respective note in the documentation mentioning the SSH root accounts, we kindly ask the company Ecos for an appropriate reference, so that we can supplement this in our security analysis accordingly.

2.

Furthermore, the company Ecos writes in its statement:

The authors refused to disclose the exploit code as tangible
proof, referring to §202 StGB. They generally denied any 
cooperation that would have helped us to build correspondent 
security patches. Instead, they provided a video footage 
supposed to show the exploits. There is consequently no clear 
evidence on whether the footages show true exploits or only 
simulated scenes. Insofar, unless the text specifies the attack, 
we have to retrace and rebuild the exploits based on the 
available information.

It is correct that we did not provide any exploit code to comply with §202 of the German Penal Code (in particular the relevant §202c that prohibits the distribution of computer programs that can be used to eavesdrop on data or perform similiar attacks with this aim). The statement that we "generally denied any cooperation" is not correct. After taking note of our security analysis that we provided to Ecos on April 13th, the company contacted us multiple times by email with specific technical inquiries. All these emails have been answered by us within two to three working days. Specifically, the exact dates of the emails containing technical questions (Q) and our answers (R) with appropriate explanations were: April 19th 2018 (Q), April 19th 2018 (R), April 20th 2018 (Q), April 24th 2018 (R), April 24th 2018 (Q), April 26th 2018 (R).

Additionally, the explanations contained in our answers were also included as clarifications in the security analysis document. After April 24th we did not receive more technical questions from Ecos concerning our security analysis. Furthermore, in their mails the company Ecos did not express any questions or indicate any objection with respect to our findings concerning the above mentioned undocumented SSH root logins.

If the company Ecos Technology GmbH agrees, we willingly offer to completey publish all exchanged emails on this page (in German language).

Imprint