Advantech Industrial Serial-To-Internet Gateways Left Wide Open (rapid7.com) 35
itwbennett writes: Researchers from Rapid7 have discovered a vulnerability in serial-to-IP gateway devices from Advantech that would allow the Internet-connected industrial devices to be accessible to anyone, with no password. In October, the Taiwanese firm patched the firmware in some of these devices to remove a hard-coded SSH (Secure Shell) key that would have allowed unauthorized access by remote attackers. But it overlooked an even bigger problem: Any password will unlock the gateways, which are used to connect legacy serial devices to TCP/IP and cellular networks in industrial environments around the world.
Why? (Score:2)
Why would industrial machines be connected to the Internet in the first place?
Re: (Score:2)
I assume so they can be monitored from a remote location.
Re: (Score:1)
Serious answer from the real world: Because by CIO fiat we can't have PCs or any intelligent devices in remote locations anymore. Why? Because of The Cloud.
Re: (Score:2)
Now in the actual real world we don't have CIOs in industrial settings. The answer is not because we don't put intelligent devices in remote locations, the answer is because we don't want to pay someone 3 hours of time to drive out to the remote location to take a reading.
This has zero to do with the cloud.
Re: (Score:2)
Re:Why? (Score:4, Insightful)
That they are connected to the internet makes perfect sense for a lot of reasons.
That they are connected to the internet and reachable directly, and publicly on the other hand is total spectacular fail.
They should be behind firewalls, that only allow connections in from authorized remote monitoring ip blocks, over encrypted connections presenting the right certificates.
But the usual; is to just do the minimum possible so that its functional. Security simply isn't even a consideration that goes into these things.
Re: (Score:2)
I think it really depends on the application in question.
Pretend you had set up a firewall correctly a few years ago, but the firewall was set up before the port 32764 backdoor had been discovered. Uh oh, your properly configured firewall has a backdoor! There goes the IP block monitoring too (either the check is on the firewall, and the backdoor disables it, or its beyond the firewall and the firewall spoofs it, or both). Your certs are set up, but heartbleed exists (and you don't know about it, but you
Re: (Score:2)
Every single one of those exploits is mitigated by whitelisting the incoming ip blocks authorized to connect.
The ip block restriction, means the port 32764 is only vulnerable from the whitelisted ip address. Heartbleed/FREAK/etc doesn't work if you can't connect.
You are right of course, that unknown flaws in the device and security software do present an attack surface. But a few layers of real security are a reasonable defense. No security can't be broken, but even a wooden door with a residential lock is
Re: (Score:2)
> Every single one of those exploits is mitigated by whitelisting the incoming ip blocks authorized to connect.
In the affected 32674 routers, yes. But remember, if the router is compromised, the technical limitation of that particular exploit shouldn't be something you use to judge other exploits or risks.
Yes, the IP whitelist would have saved you there. But if the device you are trusting to enforce the whitelist is ITSELF compromised (as in this case!), why would you trust the backdoored device to def
Re: (Score:2)
Of course those other things could be compromised as well but with the MS stuff there is a very long history of problems due to an allow by default mentality instead of blocking everything apart from the stuff you know that you want.
Re: (Score:1)
Having worked in an industry that monitored critical infrastructure equipment, we used to keep these behind firewalls in an RFC 1918 space.
The reason why they are connected is that these SNMP and Modbus devices are passively monitored for accuracy, trouble issues, power usage and capacity, But lately there has been an increase in active configuration through derived equations to shed loads , remotely start and stop generators, HVAC systems, etc...
Not having them password protected is an epic fail
Re: (Score:2)
Many of these devices on the market are actually security gateways and supposedly have integral protections. Unfortunately, many are half-assed implementations.
Re: (Score:2)
Why would industrial machines be connected to the Internet in the first place?
Just because it's a Serial to IP converter doesn't mean that it is connected to the Internet. These types of devices are used all the time to interface to legacy systems that can't talk IP to internal control systems.
And sure you could argue that in this day and age you need more than just boundary protection .. but of the attackers are already in your network I think that you are screwed regardless of what type of peripherals you have installed.
Re: (Score:2)
To use a commodity modem rather than a proprietary one, generally. They (as a spass of device, not this particular manufacturer) were also a huge security improvement, as now it was possible to have things like radius-based authentication that could be centrally managed rather than no, or (shared) device level authentication.
Serial automation networks are a pain, and IP networks offered a number of huge benefits. Unfortunately there was about a 5-10 year period where there was no security, another 5-10 ye
Re: (Score:2)
Rightfully, they shouldn't be. A sensible configuration would be to have them connected to a TCP/IP network so that they can be plugged into a central monitoring system... and the network they are connected to would (ideally) be plugged into some sort of VPN appliance. You would then *only* be able to access the systems through that VPN connection.
However, if the network is somehow breached, then you have a problem. Or if the people you have setting things up are idiots and literally DO plug it directly
Re: (Score:2)
To make things cheaper. Historically, these were going over phone lines or dedicated wires. Of course, if people with zero understanding of what Internet security requires implement such solutions, it will typically cause an epic fail. And look, it does.
Re: (Score:3)
Because everything connected to the internet these days.
Even if your "remote" access is across the building, it's the protocol which is used, because it's already implemented.
The bigger question is why do keep accepting that apparently complete morons are in charge of building these devices?
Hard-coded SSH keys is pathetic. Al
Unconfirmed issue with dropbear implementation (Score:2)
"Note that it is unconfirmed if this backdoor account is reachable on a production device by an otherwise unauthenticated attacker"
Has anyone seen independent evidence that you can SSH into one of these devices with the password "remote_debug_please" ?
Go go IoT!! (Score:3)
This is going to get very interesting as the IoT bubble continues inflating. I'm not in the industrial space, but I do work in an environment with lots of legacy serial devices. There is serious denial that these things still exist to a big extent -- most non-technical people assume everything is USB or has some other connectivity. PC manufacturers have gotten away from shipping PCs with serial ports, and often the solution touted is serial-to-Ethernet bridges like the ones in the article. This is especially true as the pressure to lighten up the edge devices increases (i.e. replace a PC with a tablet.)
The truth is that in any vertical market, very little is done to keep up with security. Look at the link - it took from November 11 to December 30 for the vendor to patch the firmware, and this was for a public, open-authentication level bug. If the IoT is going to catch on, stuff like this needs to be fixed. You can't just put a magic "put it on the Internet" box in front of a legacy device and assume the vendor is doing everything possible to find and fix flaws. This goes double for stuff like serial gateways that don't get much use outside of a few key sectors. (Hint: those key sectors tend to control a lot of very important infrastructure!!)
Re: (Score:1)
The problem is that the companies that drop the ball when it comes to devices and security have no incentive to change their ways. Even if their device pops up a terminal server prompt and allows any intruder full access, would there be consequences. Even if there were, the EULA effectively shields the company from harm, no matter how catastrophic the damage is.
It won't be the IoT vendors who will be troubling themselves about security. It either has to be their customers who vote with their wallets, or
Re: (Score:2)
This is going to get very interesting as the IoT bubble continues inflating. I'm not in the industrial space, but I do work in an environment with lots of legacy serial devices. There is serious denial that these things still exist to a big extent -- most non-technical people assume everything is USB or has some other connectivity. PC manufacturers have gotten away from shipping PCs with serial ports, and often the solution touted is serial-to-Ethernet bridges like the ones in the article. This is especially true as the pressure to lighten up the edge devices increases (i.e. replace a PC with a tablet.)
The truth is that in any vertical market, very little is done to keep up with security. Look at the link - it took from November 11 to December 30 for the vendor to patch the firmware, and this was for a public, open-authentication level bug. If the IoT is going to catch on, stuff like this needs to be fixed. You can't just put a magic "put it on the Internet" box in front of a legacy device and assume the vendor is doing everything possible to find and fix flaws. This goes double for stuff like serial gateways that don't get much use outside of a few key sectors. (Hint: those key sectors tend to control a lot of very important infrastructure!!)
The article summary mentions "internet connected industrial devices" but these are just serial to ethernet bridges/servers. Just looking at some of their products [advantech.eu], it is clear to me that this type of equipment is intended for closed, air-gapped LAN networks. Anyone who puts these on an externally-facing IP address is just asking for trouble. That's not the vendor's fault, that's just a very bad implementation by the end-user or network designer.
Re: (Score:2)
This is going to get very interesting as the IoT bubble continues inflating.
I disagree. It is just going to be all the same very old problems again, this time even more stupid because are all are known.
This is what happens when "cheaper than possible" personnel implements security-critical functionality. These people have no clue what they are doing.
Seriously? (Score:1)
Do you want Judgement Day? Because that's how you get Judgement Day!
Unauthenticated Root Access on Telnet port (Score:3)
https://ics-cert.us-cert.gov/a... [us-cert.gov]
https://web.nvd.nist.gov/view/... [nist.gov]
and http://www.securityweek.com/se... [securityweek.com]