Analysis
Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
Industrial IoT
Malware, Phishing & Ransomware
News
OT Network security
Risk & Compliance
Tech Solutions
Threat Landscape
Vendors
Vulnerabilities

OTORIO research finds that wireless IIoT vulnerabilities provide direct linkage to physical equipment

February 09, 2023
OTORIO research finds that wireless IIoT vulnerabilities provide direct linkage to physical equipment

OT cyber and digital risk management solutions vendor OTORIO revealed Wednesday the presence of wireless IIoT vulnerabilities that provide a direct path to internal OT (operational technology) networks, enabling hackers to bypass the common protection layers in the environments. The research found 38 vulnerabilities in hardware from four vendors, all of which OTORIO examined, some of them under a responsible disclosure process, making this a widespread issue.

OTORIO identified that wireless IIoT devices typically include industrial cellular gateways/routers and industrial Wi-Fi access points. The research demonstrates how local attackers can compromise industrial Wi-Fi access points and cellular gateways by targeting the Wi-Fi/cellular channels on-site. It also highlights exposing devices to man-in-the-middle (MITM) attacks, internal services, and even directly accessing Purdue Model Level 0 devices. These devices are the ideal target for hackers who want to crash physical machinery and cause the most damage to production and facilities.

The disclosure of wireless IIoT devices and technologies has revealed a significant issue involving the implementation of ‘secure’ remote access to critical infrastructure. Because wireless IIoT is commonly connected to the internet and the internal OT network, it poses a serious risk to OT environments. 

Through the research, OTORIO covered several attack vectors that local or remote attackers may leverage to attack OT networks through wireless IIoT devices. These include Internet-exposed services, on-site Wi-Fi/cellular channels, and cloud management platforms. 

It added that these vectors demonstrate the exposure of these devices to external attacks and the fact that they are connected directly to the inner network, thus serving as a single point of failure in common configurations of environments. The direct connection to the lower Purdue levels of the network – levels 0 to 2 – usually means a full bypass of the common security measures according to the Purdue model, providing access to sensitive devices in the OT network that are commonly vulnerable by design.

The research identified that wireless IIoT and their cloud platforms, in their current state, possess a critical attack surface for industrial remote sites. The critical issues were detected in equipment from the four vendors examined, of which, some are still in the disclosure process. Additionally, wireless IIoT as it is commonly used, poses a significant risk to OT environments due to direct connection to both internet and internal OT network, thereby establishing a single point of failure and potential breach that can bypass all security layers as defined by the Purdue Model. 

OTORIO also said that attackers could use free platforms, like WiGLE, to locate high-value, vulnerable targets, identify their physical location and exploit them from nearby, posing a critical risk to OT networks and critical infrastructure with hazardous potential impact.

Internet-facing devices present a significant risk to the ICS community, OTORIO said. In many cases, local services such as HTTP/S, SSH, and Telnet are directly exposed to the internet, either due to human error or intentional design, making them potential entry points to the internal OT environment from remote.

“Our research focuses on the vulnerability of local HTTP/S services, which hold vendor-specific logic and are a preferred target for attackers,” the whitepaper said. “Utilizing search engines such as Shodan, we have observed widespread exposure of industrial cellular gateways and routers, making them easily discoverable and potentially vulnerable to exploitation by threat actors.” 

OTORIO discovered 0-day vulnerabilities in web interfaces of SierraWireless, InHand Networks, and ETIC Telecom. “Our findings include 24 web vulnerabilities, including RCE on each of the vendors. Some are still in the disclosure process.”

The researchers found that local attackers can compromise industrial Wi-Fi access points and cellular gateways by targeting Wi-Fi/cellular channels on-site, exposing devices to MITM attacks, internal services, and even directly, accessing Level 0 devices. “Different types of local attacks can be used against Wi-Fi and cellular communication channels, starting from attacks on weak encryptions such as WEP and downgrade attacks to the vulnerable GPRS, all the way to complex chipset vulnerabilities that may take time to patch,” they added. 

OTORIO research focused on reconnaissance techniques to geographically locate valuable and vulnerable industrial Wi-Fi access points worldwide. The researchers deployed the publicly-available WiGLE platform that stores information about access points worldwide. Users can install an app on their phone that records information about Wi-Fi networks in the area, including network name, network BSSID (MAC) address, encryption type, coordinates, and others. A user can choose to upload the information to the database containing almost 1 billion unique Wi-Fi network records.

The whitepaper said that the platform provides API and web interface allowing different types of filtering. These include basic filtering using the network name (SSID) or network address (BSSID), and advanced filtering, based on REST API, which allows for more filtering options, including coordinates or encryption type. 

The researchers said that most wireless IIoT vendors provide a cloud-based management platform, enabling the device operator to perform remote operations such as configuration changes, firmware upgrades, rebooting, and tunneling over the device. “By targeting a single vendor cloud-based management platform, a remote attacker may expose thousands of devices located on different networks and sectors. Communication between the vendors’ cloud management platform and the devices is carried out using IoT M2M protocols, like MQTT, which is the most common,” they added. 

OTORIO identified critical vulnerabilities on three cloud management platforms, allowing potential attackers to compromise every cloud-managed device with high privileges, remotely and without authentication. 

In the case of InHand Networks, OTORIO found a chain of three vulnerabilities in its Device Manager cloud platform and the InRouter devices firmware that allows ‘remote code execution’ with root privileges on every cloud-managed InRouter device. “Using these vulnerabilities, a threat actor could gain direct access to thousands of networks,” it added. 

Once the router boots, weak registration is performed with the cloud platform – based on the configured cloud account and router’s serial number. In return, if the account and serial are valid, the Device Manager will assign the device with this serial under this account and MQTT credentials will be sent. The device will immediately connect to the Device Manager using those MQTT credentials. 

The OTORIO whitepaper said that the exploration of the cloud-managed device highlights the importance of proper access control and secure coding practices in the development of internet-connected devices. “By finding these vulnerabilities, we can work to ensure the security of networks and protect sensitive data from potential threats,” it added.

OTORIO recommends architectural adjustments to combat these threats, including setting up a zero trust policy between cells and the L3 (control center), ensuring that if an attacker compromises a single cell, they won’t be able to reach other cells or unnecessary services in the L3. 

Organizations must also apply a whitelist-based communication template monitored by the FW/IPS between L3 and the cells. The communication template will guarantee that only allowed traffic is sent from the cells to the L3. Furthermore, they must create a proxy address for internet-managed devices such as industrial cellular gateways and intelligent field devices. Traffic will be sent to the Proxy functionality, which will perform MITM on the data to detect any malicious behavior.

Last November, Forescout’s Vedere Labs disclosed the presence of new vulnerabilities affecting OT products from two German vendors – Festo automation controllers and the CODESYS runtime, which is used by hundreds of device manufacturers in different industrial sectors, including Festo. These security loopholes add to the earlier 56 vulnerabilities caused by insecure-by-design practices affecting devices from ten OT vendors, including Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Xage’s Zero Trust Session Collaboration tool delivers remote access, collaboration across industrial frameworks
Xage announces AI-powered analytics and insight capabilities to boost zero trust access and protection
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
US DHS establishes AI Safety and Security Board to advise on safe deployment in critical infrastructure
AI for Energy - Opportunities for a Modern Grid and Clean Energy Economy (DoE)
US DOE rolls out initial assessment report on AI benefits and risks for critical energy infrastructure
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Claroty’s Team82 details exploitation of classic deserialization vulnerability in Siemens EnMPro line
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
TXOne’s Portable Security Pro works towards improving security in ICS environments
TXOne Networks presents SageOne, its new CPS protection platform
Critical Start
Critical Start introduces managed detection and response services for OT environments
Shift5
Shift5 debuts GPS integrity module to combat GPS spoofing risks
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst