After ignoring a serious security vulnerability in its product for at least a year, a Canadian company that makes equipment and software for critical industrial control systems announced quietly on Friday that it would eliminate a backdoor login account in its flagship operating system, following public disclosure and pressure.
RuggedCom, which was purchased recently by German-conglomerate Siemens, said in the next few weeks it would be releasing new versions of its RuggedCom firmware in order to remove the backdoor account in critical components used in power grids, railway and traffic control systems, as well as military systems.
The company also said in a press release that the update would disable telnet and remote shell services by default. The latter were two communication vectors that would allow an intruder to discover and exploit a vulnerable system.
Critics say the company should never have installed the backdoor, which was exposed last week by independent security researcher Justin W. Clarke, and has, as a result, exhibited no evidence of security awareness in its development process, raising questions about other problems its products may contain.