Advantech Industrial Serial-To-Internet Gateways Left Wide Open

itwbennett writes: Researchers from Rapid7 have discovered a vulnerability in serial-to-IP gateway devices from Advantech that would allow the Internet-connected industrial devices to be accessible to anyone, with no password. In October, the Taiwanese firm patched the firmware in some of these devices to remove a hard-coded SSH (Secure Shell) key that would have allowed unauthorized access by remote attackers. But it overlooked an even bigger problem: Any password will unlock the gateways, which are used to connect legacy serial devices to TCP/IP and cellular networks in industrial environments around the world.

Re:Why?

[vux984]

That they are connected to the internet makes perfect sense for a lot of reasons.

That they are connected to the internet and reachable directly, and publicly on the other hand is total spectacular fail.

They should be behind firewalls, that only allow connections in from authorized remote monitoring ip blocks, over encrypted connections presenting the right certificates.

But the usual; is to just do the minimum possible so that its functional. Security simply isn't even a consideration that goes into these things.