Slashdot Mirror
Advantech Industrial Serial-To-Internet Gateways Left Wide Open (rapid7.com)
itwbennett writes: Researchers from Rapid7 have discovered a vulnerability in serial-to-IP gateway devices from Advantech that would allow the Internet-connected industrial devices to be accessible to anyone, with no password. In October, the Taiwanese firm patched the firmware in some of these devices to remove a hard-coded SSH (Secure Shell) key that would have allowed unauthorized access by remote attackers. But it overlooked an even bigger problem: Any password will unlock the gateways, which are used to connect legacy serial devices to TCP/IP and cellular networks in industrial environments around the world.
This is going to get very interesting as the IoT bubble continues inflating. I'm not in the industrial space, but I do work in an environment with lots of legacy serial devices. There is serious denial that these things still exist to a big extent -- most non-technical people assume everything is USB or has some other connectivity. PC manufacturers have gotten away from shipping PCs with serial ports, and often the solution touted is serial-to-Ethernet bridges like the ones in the article. This is especially true as the pressure to lighten up the edge devices increases (i.e. replace a PC with a tablet.)
The truth is that in any vertical market, very little is done to keep up with security. Look at the link - it took from November 11 to December 30 for the vendor to patch the firmware, and this was for a public, open-authentication level bug. If the IoT is going to catch on, stuff like this needs to be fixed. You can't just put a magic "put it on the Internet" box in front of a legacy device and assume the vendor is doing everything possible to find and fix flaws. This goes double for stuff like serial gateways that don't get much use outside of a few key sectors. (Hint: those key sectors tend to control a lot of very important infrastructure!!)
That they are connected to the internet makes perfect sense for a lot of reasons.
That they are connected to the internet and reachable directly, and publicly on the other hand is total spectacular fail.
They should be behind firewalls, that only allow connections in from authorized remote monitoring ip blocks, over encrypted connections presenting the right certificates.
But the usual; is to just do the minimum possible so that its functional. Security simply isn't even a consideration that goes into these things.
There are also some IP network connected medical devices with virtually zero security. Check this out. This was definitely a WTF moment.
https://ics-cert.us-cert.gov/a...
https://web.nvd.nist.gov/view/...
and http://www.securityweek.com/se...
Because everything connected to the internet these days.
Even if your "remote" access is across the building, it's the protocol which is used, because it's already implemented.
The bigger question is why do keep accepting that apparently complete morons are in charge of building these devices?
Hard-coded SSH keys is pathetic. Allowing any password whatsoever to open the device?? That's some epic fail right there.
If you are writing a security system (and I'll use that term loosely), if you can't be arsed to test what happens if you put in a wrong password ... you have no damned business writing a security system.
First two tests: good password, bad password. If you didn't test bad password, you're fired.
This can really only come down to sheer incompetence, or outright fraud. Either you're too clueless to be in the game, or you know damned well you've done a piss-poor job but tried to hide it.
I keep saying, until corporations carry penalties and legal liability for being incompetent/lazy/indifferent about security, not a damned thing will change.
Anybody who bought one of these things needs to be demanding their damned money back.
Lost at C:>. Found at C.