Eleven vulnerabilities in the cloud-management platforms of three industrial cellular router vendors put operational technology (OT) networks at risk for remote code execution, even if the platform is not actively configured for cloud management, researchers have found.
The vulnerabilities are so severe that even though they affect devices from only three vendors — Sierra Wireless AirLink, Teltonika Networks RUT, and InHand Networks InRouter — they could impact thousands of industrial Internet of things (IIoT) devices and networks in a variety of sectors, warn Eran Jacob, security research team leader, and Roni Gavrilov, security researcher, from Otorio.
"Breaching of these devices can bypass all of the security layers in common deployments, as IIoT devices are commonly connected both to the Internet and the internal OT network," the researchers tell Dark Reading. "It also raises additional risk for propagation to additional sites through the built-in VPN."
If attackers achieve direct connectivity to the internal OT environment, it also may lead to impact on production and safety risks for users across the physical environment, the researchers added.
Moreover, attackers have a number of vectors from which they can exploit the vulnerabilities, including by gaining root access through a reverse-shell; compromising devices in the production network to facilitate unauthorized access and control with root privileges; and compromising devices to exfiltrate sensitive information and perform operations such as shutdown, the researchers said.
Gavrilov shared key findings and remediation tips about the flaws at Black Hat Asia 2023 last week, and the company also published a report that it shared with Dark Reading. All of the vulnerabilities were responsibly disclosed in coordination with the vendors and CISA and have been mitigated by the vendors, according to Otorio.
Where the Issues Lie
An industrial cellular router allows multiple devices to connect to the Internet from a cellular network. These routers are commonly used in industrial settings, such as manufacturing plants or oil rigs, where traditional wired Internet connections may not be available or reliable, the researchers said.
"Industrial cellular routers and gateways have become one of the most prevalent components in the IIoT landscape," Gavrilov wrote in the report. "They offer extensive connectivity features and can be seamlessly integrated into existing environments and solutions with minimal modifications."
Vendors of these devices employ cloud platforms to provide customers with remote management, scalability, analytics, and security across their OT networks. Specifically, researchers found various vulnerabilities that "pertain to the connection between IIoT devices and cloud-based management platforms," which, in some devices, is enabled by default, the researchers explain to Dark Reading.
"These vulnerabilities can be exploited in various scenarios, affecting devices that are both registered and unregistered with remote management platforms," they say. "Essentially, it means that there are security weaknesses in the default settings of certain devices' connectivity to cloud-based management platforms, and these weaknesses can be targeted by attackers."
The typical connectivity to these platforms relies on machine-to-machine (M2M) protocols like MQTT for device-cloud communication together with Web interfaces for user management, according to the report. MQTT operates on a publish-subscribe model, where the broker manages topics and devices can subscribe to receive published information. A specialized device API is also commonly used for initialization communication with the cloud platform, along with user API and Web interface for management of the devices.
Researchers identified critical issues that can be exploited by various attack vectors in three key areas of this connectivity: the asset-registration process, security configurations, and external APIs and Web interfaces, they said.
"Attackers could target specific facilities by leveraging sources like WiGLE and information-leak vulnerabilities (such as [those] found in InHand devices), or perform a wide attack on thousands of devices, aiming for wider impact or access," the researchers tell Dark Reading.
Moreover, exploitation of the vulnerabilities could allow attackers to interfere with operational processes, putting the safety of those working in the environment at risk, they say.
One attack vector that can be highly valuable in particular to ransomware groups — which are ramping up industrial network attacks — is to reach sites beyond the initial access point that are at risk due to built-in VPN connectivity of devices, the researchers say. This can allow attack propagation across the broader network, to control centers and SCADA (Supervisory Control and Data Acquisition) servers, they say.
Researchers outlined a number of mitigation strategies for both OT network administrators and vendors of these devices. OT network administrators should disable any unused cloud feature if they're not actively using the router for cloud management to prevent device takeovers and reduce the attack surface, the researchers advised.
They also should register devices under their own accounts in the cloud platform before connecting them to the Internet. This establishes ownership and control and prevents unauthorized access, the researchers said.
Further, administrators can limit direct access from IIoT devices to the routers, since built-in security features like VPN tunnels and firewalls are ineffective once compromised, the researchers said.
"Adding separate firewall and VPN layers can assist with delimitering and reduce risks from exposed IIoT devices used for remote connectivity," Gavrilov wrote in the report.
For their part, vendors can avoid building vulnerabilities into their devices by avoiding the use of weak identifiers and using an additional "secret" identifier during device registration and connection establishment, the researchers advised. They should also enforce initial credential setup so network operators avoid using default credentials and thus introducing security risks immediately into the network. Moreover, the security requirements of the IIoT are unique and should be considered separately to the IoT footprint because the two are not equivalent, the researchers warned.
"This may involve reducing 'high-risk' features upon demand and adding extra layers of authentication, encryption, access control, and monitor," Gavrilov wrote.