A wireless gateway suitable for a number of industrial applications is vulnerable to remote exploit because of a lack of encryption in its update and reprogramming processes, an advisory from the Industrial Control Systems Cyber Emergency Response Team said yesterday.
The Sierra Wireless AirLink Raven X EV-DO application has been discontinued by vendor Sierra Wireless, but is still supported. No mention of the vulnerabilities in versions V4221_4.0.11.003 and V4228_4.0.11.003, reported to ICS-CERT by a researcher at energy provider Cimation, is on the vendor’s website. Yet firmware, tools and utility downloads are still available for the vulnerable versions for a number of major wireless carriers.
“These vulnerabilities allow an attacker to remotely reprogram the firmware on the device,” the ICS-CERT advisory said. “After reprogramming the firmware, an attacker can affect functionality of the application, including system shutdown.”
The vulnerable gateways provide connectivity in industrial and corporate environments worldwide, in particular in the energy and transportation sectors in the U.S., Canada and Europe. According to ABI Research, Sierra Wireless has the top market share in the cellular machine-to-machine embedded module market and helps connect 1.4 billion devices. Its devices are used as part of fleet management systems, eToll and eTax collection systems, electrical smart metering applications, renewable energy EV charging stations, industrial automation, and industrial infrastructure and building monitoring applications, among others.
Sierra Wireless, according to the ICS-CERT advisory, recommends that its customers upgrade to the GX400, GX440 or LS300 devices in order to mitigate the problem.
Because the AirLink Raven series does not use encryption in the aforementioned processes, an attacker can gain access to plaintext user names and passwords and gain access to the device’s firmware and manipulate it.
In addition, the devices are also prone to replay attacks that bypass authentication altogether.
“By sending a series of crafted packets to Port 17336/UDP and Port 17388/UDP, an attacker could reprogram the device’s firmware image,” the ICS-CERT advisory said. “This could allow the attacker to affect the availability of the firmware.”
Often, these rugged industrial devices are difficult to replace either because they are physically difficult to reach, or taking them offline would cause downtime to critical services and systems.
Such was the case with a reported vulnerability in industrial automation software used to configure wireless radios connecting devices in hard-to-reach oil and gas facilities. Patched firmware was delivered by the vendor ProSoft Technology for its RadioLinx ControlScape pseudo random number generator, but researchers at IOActive who found the bug said they were not likely to be patched because updates were not able to be done over the air.
The vulnerability discovered by Luis Apa and Carlos Penagos was an issue with the passphrase generated upon creation of a new radio network connection, specifically in a setting for secure communication between the network and industrial devices. The software used local time as the seed for the new passphrase, making it relatively simple for a hacker to guess the password via a brute force attack or another type of cryptographic attack.
“By being able to guess the passphrase, an attacker could communicate with the network the device is connected to with devastating consequences,” Penagos said.
Attackers with a powerful antenna could attack these devices from many miles away and send modified packets to automation systems that could lead to serious failures.