Eleven vulnerabilities found in the cloud-management platforms of three industrial cellular router vendors have put operational technology (OT) networks at risk for remote code execution, researchers have found. Even if the platform is not actively configured for cloud management, the vulnerabilities are so severe that they could impact thousands of industrial Internet of things (IIoT) devices and networks in a variety of sectors. The vendors affected are Sierra Wireless AirLink, Teltonika Networks RUT, and InHand Networks InRouter. Breaching these devices could bypass all of the security layers in common deployments, as IIoT devices are commonly connected both to the internet and the internal OT network. Moreover, this raises additional risk for propagation to additional sites through the built-in VPN.
If attackers achieve direct connectivity to the internal OT environment, it also may lead to impact on production and safety risks for users across the physical environment. In addition, attackers have a number of vectors from which they can exploit the vulnerabilities. These include gaining root access through a reverse shell, compromising devices in the production network to facilitate unauthorised access and control with root privileges, and compromising devices to exfiltrate sensitive information and perform operations such as shutdown.
InHand Networks InRouter, Sierra Wireless AirLink, and Teltonika Networks RUT are the most renowned vendors of industrial cellular routers that allow devices to connect to the internet on a cellular network. These routers are commonly employed in industrial settings, such as manufacturing plants or oil rigs, where traditional wired internet connections may not be available or reliable. However, the vulnerabilities in the cloud-management platforms could be exploited in various scenarios, affecting devices that are both registered and unregistered with remote management platforms, which means there are security weaknesses in the default settings of certain devices’ connectivity to cloud-based management platforms, and these weaknesses can be targeted by attackers.
Researchers identified critical issues that can be exploited by various attack vectors in three key areas of this connectivity: the asset-registration process, security configurations, and external APIs and web interfaces. Attackers could target specific facilities by leveraging sources like Wiggle and information-leak vulnerabilities (such as those found in InHand devices) or perform a wide attack on thousands of devices, aiming for wider impact or access. Moreover, exploitation of the vulnerabilities could allow attackers to interfere with operational processes, putting the safety of those working in the environment at risk. One of the most valuable attack vectors in particular to ransomware groups is to reach sites beyond the initial access point that are at risk due to built-in VPN connectivity of devices. This can allow attack propagation across the broader network, to control centres and SCADA servers.
Researchers outlined a number of mitigation strategies for both OT network administrators and vendors of these devices. OT network administrators should disable any unused cloud feature if they’re not actively using the router for cloud management to prevent device takeovers and reduce the attack surface. They also should register devices under their accounts in the cloud platform before connecting them to the internet. This establishes ownership and control and prevents unauthorised access. Administrators can limit direct access from IIoT devices to the routers, since built-in security features like VPN tunnels and firewalls are ineffective once compromised. For their part, vendors can avoid building vulnerabilities into their devices by avoiding the use of weak identifiers and using an additional “secret” identifier during device registration and connection establishment.
They should also enforce initial credential setup so network operators avoid using default credentials and thus introducing security risks immediately into the network. Moreover, the security requirements of the IIoT are unique and should be considered separately to the IoT footprint because the two are not equivalent. This may involve reducing high-risk features upon demand and adding extra layers of authentication, encryption, access control, and monitoring.
All the vulnerabilities were responsibly disclosed in coordination with the vendors and CISA and have been mitigated by the vendors, according to Otorio.