Flaws in industrial wi-fi IoT options may give attackers deep entry into OT networks

It’s normal for operational know-how (OT) groups to attach industrial management programs (ICS) to distant management and monitoring facilities by way of wi-fi and mobile options that generally include vendor-run, cloud-based administration interfaces. These connectivity options, additionally known as industrial wi-fi IoT gadgets, enhance the assault floor of OT networks and may present distant attackers with a shortcut into beforehand segmented community segments that comprise crucial controllers.

Industrial cybersecurity agency Otorio launched a report this week highlighting the assault vectors these gadgets are vulnerable to together with vulnerabilities the corporate’s researchers present in a number of such merchandise. “Industrial wi-fi IoT gadgets and their cloud-based administration platforms are enticing targets to attackers in search of an preliminary foothold in industrial environments,” the Otorio researchers stated of their report. “That is because of the minimal necessities for exploitation and potential impression.”

A shift in conventional OT community structure

OT safety has usually adopted the Purdue Enterprise Reference Architecture (PERA) mannequin to determine the place to put sturdy entry management layers and do segmentation. This mannequin, which dates to the Nineties, splits enterprise IT and OT networks into six useful ranges.

Stage 0 is the tools that straight influences bodily processes and contains issues like valves, motors, actuators, and sensors.

Stage 1 or the Primary Management layer contains discipline controllers equivalent to programmable logic controllers (PLCs) and distant terminal models (RTUs) that management these sensors, valves, and actuators primarily based on logic (applications) uploaded to them by engineers.

Stage 2 is the supervisory management layer which incorporates supervisory management and information acquisition (SCADA) programs that gather and act upon the information acquired from the Stage 1 controllers.

Stage 3 is the location management layer and contains programs that straight help a plant’s operations equivalent to database servers, software servers, human-machine interfaces, engineering workstations which are used to program discipline controllers and extra. That is usually known as the Management Middle and linked to a company’s common IT enterprise community (Stage 4) by way of a demilitarized zone (DMZ).

It’s on this DMZ the place organizations have targeted their perimeter safety efforts to have a robust segmentation between the IT and OT components of their networks. Further controls are usually put in place between Stage 3 and Stage 2, to guard discipline gadgets from intrusions into the management facilities.

Nonetheless, some organizations can have distant industrial installations that they want to hook up with their central management facilities. That is extra frequent in industries equivalent to gasoline and oil the place operators have a number of oil fields and gasoline wells in exploitation at completely different places, but it surely’s additionally prevalent in different industries. These hyperlinks between distant Stage 0-2 gadgets and Stage 3 management programs are sometimes supplied by industrial mobile gateways or industrial Wi-Fi entry factors.

These industrial wi-fi IoT gadgets can converse to discipline gadgets over a number of protocols, equivalent to Modbus and DNP3, after which join again to the group’s management heart by way of the web by utilizing numerous safe communication mechanisms like VPN. Many machine producers additionally present cloud-based administration interfaces for industrial asset house owners to handle their gadgets remotely.

Vulnerabilities in industrial wi-fi IoT gadgets

These, like some other gadgets linked to the web, enhance the assault floor of OT networks and weaken the safety controls historically put in place by organizations, providing a bypass for attackers into the decrease ranges of OT networks. “Using search engines like google and yahoo equivalent to Shodan, we have now noticed widespread publicity of business mobile gateways and routers, making them simply discoverable and probably susceptible to exploitation by risk actors,” the Otorio researchers stated of their report. A few of their findings concerning gadgets with internet-reachable internet servers and interfaces embody:




Sierra Wi-fi



Teltonika Networks



InHand Networks


http.html:”Login failed! Examine

your username & password”



http.html:”MOXA OnCell”

ETIC Telecom


http.html:”ETIC TELECOM”

The researchers declare they discovered 24 vulnerabilities within the web-based interfaces of gadgets from three of those distributors — Sierra, InHand, and ETIC — and managed to attain distant code execution on all three.

Whereas many of those flaws are nonetheless within the technique of accountable disclosure, one which has already been patched impacts Sierra Wi-fi AirLink routers and is tracked CVE-2022-46649. This can be a command injection vulnerability within the IP logging characteristic of ACEManager, the web-based administration interface of the router, and is a variation of one other flaw discovered by researchers from Talos in 2018 and tracked as CVE-2018-4061.

It seems that the filtering put in place by Sierra to handle CVE-2018-4061 didn’t cowl all exploit situations and researchers from Otorio had been in a position to bypass it. In CVE-2018-4061, attackers may connect extra shell instructions to the tcpdump command executed by the ACEManager iplogging.cgi script by utilizing the -z flag. This flag is supported by the command-line tcpdump utility and is used to cross so-called postrotate instructions. Sierra fastened it by implementing a filter that removes any -z flag from the command handed to the iplogging script if it is adopted by an area, tab, type feed or vertical tab after it, which might block, for instance, “tcpdump -z reboot”.

What they missed based on Otorio is that the -z flag does not require any of these characters after it and a command like “tcpdump -zreboot”, would execute simply effective and bypass the filtering. This bypass alone would nonetheless restrict the attackers to executing binary information that exist already on the machine, so the researchers developed a strategy to conceal their payload in a PCAP (bundle seize) file uploaded to the machine by way of one other ACEManager characteristic known as iplogging_upload.cgi. This particularly crafted PCAP file may also behave as a shell script when parsed by sh (the shell interpreter) and its parsing and execution might be triggered by utilizing the -z vulnerability in iplogging.cgi.

Cloud administration dangers

Even when these gadgets do not expose their web-based administration interfaces on to the web, which isn’t a safe deployment follow, they might not be fully unreachable to distant attackers. That is as a result of most distributors present cloud-based administration platforms that permit machine house owners to carry out configuration adjustments, firmware updates, machine reboots, tunnel site visitors over the gadgets, and extra.

The gadgets usually talk with these cloud administration companies utilizing machine-to-machine (M2M) protocols, equivalent to MQTT, and their implementation may have weaknesses. The Otorio researchers discovered crucial vulnerabilities within the cloud platforms of three distributors, permitting attackers to compromise any cloud-managed gadgets remotely with out authentication.

“By concentrating on a single vendor cloud-based administration platform, a distant attacker might expose 1000’s of gadgets situated on completely different networks and sectors,” the researchers stated. “The assault floor over the cloud administration platform is large. It contains exploitation of the online software (cloud person interface), abusing M2M protocols, weak entry management insurance policies, or abusing a weak registration course of.”

The researchers exemplify these dangers with a sequence of three vulnerabilities they discovered within the “Gadget Supervisor” cloud platform of InHand Networks and the firmware of its InRouter gadgets that might have resulted in distant code execution with root privileges on all cloud-managed InRouter gadgets.

First, they seemed on the approach wherein gadgets speak to the platform by way of MQTT and the way in which authentication, or “registration,” is achieved they usually discovered that the registration makes use of insufficiently random values and might be brute-forced. In different phrases, two of the vulnerabilities allowed the researchers to drive a router to offer its configuration file by impersonating an authenticated connection and write duties to the router equivalent to altering its hostname.

The third vulnerability was in the way in which the router parsed configuration information by way of MQTT, significantly within the operate used to parse parameters for a characteristic known as auto_ping. The researchers discovered they may allow auto_ping after which concatenate a reverse shell command line to the auto_ping_dst operate and this could execute with root privileges on the machine.

Wi-fi assaults on OT networks

Along with the distant assault vectors accessible over the web, these gadgets additionally expose Wi-Fi and mobile alerts domestically so any assaults over these applied sciences may very well be used towards them. “Several types of native assaults can be utilized towards Wi-Fi and mobile communication channels, ranging from assaults on weak encryptions equivalent to WEP and downgrade assaults to the susceptible GPRS, all the way in which to complicated chipset vulnerabilities that will take time to patch,” the researchers stated.

Whereas the researchers did not examine Wi-Fi or mobile baseband modem vulnerabilities, they carried out reconnaissance utilizing WiGLE, a public wi-fi community mapping service that collects details about wi-fi entry factors worldwide. “Leveraging the superior filtering choices, we wrote a Python script scanning for probably high-value industrial or crucial infrastructure environments, highlighting ones configured with weak encryption,” the researchers stated. “Our scanning uncovered 1000’s of wi-fi gadgets associated to industrial and demanding infrastructure, with tons of configured with publicly identified weak encryptions.”

Utilizing this method, the researchers managed to search out gadgets with weak wi-fi encryption deployed in the true world in manufacturing vegetation, oil fields, electrical substations, and water therapy services. Attackers may use such reconnaissance to establish weak gadgets after which journey on website to take advantage of them.

Mitigating wi-fi IoT machine vulnerabilities

Whereas patching vulnerabilities in such gadgets once they’re discovered is critically necessary due to their privileged place in OT networks and direct entry to crucial controllers, extra preventive steps must be taken to mitigate dangers. The Otorio researchers have the next suggestions:

  • Disable and keep away from any insecure encryptions (WEP, WAP) and when potential, don’t permit legacy protocols equivalent to GPRS.
  • Disguise your networks names (SSID).
  • Use MAC-based whitelisting, or use certificates, for linked gadgets.
  • Validate administration companies are restricted to the LAN interface solely or are IP whitelisted.
  • Guarantee no default credentials are in use.
  • Be alert on new safety updates in your gadgets.
  • Confirm these companies are disabled if unused (enabled by default on many circumstances).
  • Implement safety options individually (VPN, firewalls), treating site visitors from the IIoT as untrusted.

Copyright © 2023 IDG Communications, Inc.