Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

Cyber Security Threat Summary:
During last week’s Black Hat Asia 2023 conference, Israeli industrial cybersecurity firm OTORIO disclosed several vulnerabilities in cloud management platforms associated with three industrial cellular router vendors that could expose OT networks to external attacks. In total 11 vulnerabilities were disclosed, which could enable threat actors to execute code remotely and take control over hundreds of thousands of devices and OT networks. In particular, the flaws impact cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices. OTORIO highlighted three different attack vectors which could be leveraged to take control over devices managed via these platforms:

Weak asset registration mechanisms (Sierra Wireless): An attacker could scan for unregistered devices that are connected to the cloud, get their serial numbers by taking advantage of the AirVantage online Warranty Checker tool, register them to an account under their control, and execute arbitrary commands. Flaws in security configurations (InHand Networks): An unauthorized user could leverage CVE-2023-22601, CVE-2023-22600, and CVE-2023-22598, a command injection flaw, to gain remote code execution with root privileges, issue reboot commands, and push firmware updates. External API and interfaces (Teltonika Networks): A threat actor could abuse multiple issues identified in the remote management system (RMS) to "expose sensitive device information and device credentials, enable remote code execution, expose connected devices managed on the network, and allow impersonation of legitimate devices."

Security Officer Comments:
The 11 vulnerabilities are being tracked as CVE-2023-22601, CVE-2023-22600, and CVE-2023-22598, CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587, and CVE-2023-2588, CVE-2023-32349 and CVE-2023-32350, and encompass a range of security issues, including improper access control, operating system (OS) command injection, router impersonation, cross-site scripting (XSS), and much more. According to OTORIO, successful exploitation of these issues could enable actors to access and control networked devices and change router settings in order to manipulate configurations such as DNS settings or firewall rules. Using the compromised industrial devices, the actors could further launch attacks against other devices or networks. In turn this could pose a huge supply-chain risk as a single compromised device could act as a backdoor for accessing several OT networks.

Suggested Correction(s):
(OTORIO) The potential impact on thousands of industrial environments is alarming and should be a concern for both private and public sectors. It highlights the urgent need for effective security measures, proper deployment best practices, and improved communication of risks by vendors.

A key challenge lies in user awareness. Many users may be unaware of the automatic connections established by these devices or may follow simplified deployment architectures outlined in vendor guides. Moreover, the presence of certain built-in security features can create a false sense of security. It is important to recognize that the overall safety of these devices is only as strong as their weakest component. Once compromised, the effectiveness of these security features becomes irrelevant.

To address these challenges, organizations must prioritize the implementation of robust security measures and making informed decisions regarding device deployment. By taking proactive measures, organizations can effectively safeguard their devices in sensitive industrial environments.

Practical mitigation strategies for users

Disable unused cloud feature: If you're not actively using the cloud management feature of your industrial cellular routers, disable it to prevent device takeovers and reduce the attack surface. Register devices: Before connecting your devices to the internet, register them under your own account in the cloud platform to establish ownership and control, preventing unauthorized access Limiting direct access from IIoT: Industrial cellular routers' built-in security features like VPN tunnels and firewalls are ineffective once compromised. Adding separate firewall and VPN layers can assist with delimitering and reduce risks from exposed IIoT devices used for remote connectivity.

Practical mitigation strategies for vendors

Avoid usage of weak identifiers: Use an additional "secret" identifier during device registration and connection establishment for enhanced security.
Enforce initial credential setup: Default credentials for remote-accessible devices can present a significant problem.
Industrial IoT ≠ IoT:
Implement tailored security measures for IIoT considering the unique requirements. This may involve reducing "high-risk" features upon demand and adding extra layers of authentication, encryption, access control, and monitoring.

Link(s):
https://thehackernews.com/2023/05/industrial-cellular-routers-at-risk-11.html https://go.otorio.com/hubfs/reports...its-assessing-risks-in-cloud-managed-iiot.pdf