On Dec. 7 at Black Hat Europe, analysts from Forescout will reveal the bugs — including one of 9.6 “Critical” severity on the CVSS scale, and nine “High” severity — affecting a brand of operational technology (OT)/Internet of Things (IoT) routers especially common in the medical and manufacturing sectors.
Picture OT/IoT routers as the bridges connecting the broader Internet to internal networks through 3G and 4G cellular networks. They’re commonly spotted in crucial areas such as transportation, government, and water treatment. If these devices are compromised, it opens the door to serious consequences like lateral movement within networks, deploying malware, engaging in espionage, disrupting services, and more.
Let’s delve into the vulnerabilities. Seven of the fresh discoveries are nestled within the internal components of these routers, while fourteen stem from open-source elements, including a captive portal for Wi-Fi networks and an XML processing library. The issues span a spectrum of risks, from cross-site scripting (XSS) to denial of service (DoS), remote code execution (RCE), unauthorized access, and authentication bypass.
Breaking it down, these bugs can be sorted into two main groups, as explained by Daniel dos Santos, the head of security research at Forescout. They’re either design flaws like hardcoded credentials and SSL certificates or relate to how the device handles potentially harmful inputs, which could lead to injecting malicious code or crashing the device.
The implications of an attack on these devices are profound. Attackers can sidestep traditional industrial security measures and directly target the most critical devices in a facility. Dos Santos walks us through the typical path of an attack: starting on the IT network, making lateral moves, breaching the gap with OT through an engineering workstation or SCADA system, and ultimately gaining access to IoT devices.
What sets these routers apart is their direct connection of potentially critical devices to the Internet without the need for typical IT-OT lateral movement. This poses a unique risk for devices in critical infrastructure like pipelines or substations.
Now, onto the numbers. Forescout’s researchers, armed with regular scans, discovered over 80,000 vulnerable OT/IoT devices unprotected on the open web, with a significant chunk located in the US. Alarmingly, 22,000 of these devices use default SSL certificates, making them susceptible to easy man-in-the-middle attacks. Adding to the concern, less than 10% of these devices are fortified against publicly known vulnerabilities.
Digging deeper, for those with management interfaces, 80% are at the end of their life cycle, rendering them unpatchable. This predicament is prevalent in industrial settings due to the complexities and risks associated with updating or replacing specific critical software and machinery operating 24/7.
Dos Santos emphasizes a concerning habit within the industry: treating devices as legacy just because they belong to the OT world. This perception delays necessary upgrades, creating a vulnerability in the OT perimeter. He concludes, “We don’t need to replace it right now, but that’s definitely problematic, and this is one area of the OT perimeter that could be helped in upgrading devices.”