Researchers have identified several remotely exploitable vulnerabilities in a wireless remote monitoring product from OleumTech that is used in energy, water and other critical infrastructure sectors. Two of the three flaws are related to the encryption implementation in the affected products, including the use of a weak random number generator.
The vulnerabilities, discovered by a pair of researchers at IOActive, are present in the OleumTech WIO DH2 Wireless Gateway and all of the OleumTech Sensor Wireless I/O Modules versions. OleumTech is a California company that provides wireless remote monitoring devices for industrial environments. The IOActive researchers discovered three separate vulnerabilities in the company’s products, including an input-validation flaw, key management errors and the use of a weak pseudo-random number generator.
“When connecting any of the devices to BreeZ, it is possible to read the site security key of the device without authentication. This could allow someone, who has stolen a node or has physical access to the device to obtain the site security key to communicate freely with other network devices. However, this key cannot be read remotely when the data system is up and running, only in the manual setup mode. The data flow one way from sensor to gateway collector, and there is no control channel back to the sensor. To reset the key, the device must be taken offline and updated manually,” the advisory from ICS-CERT says.
BreeZ is OleumTech’s software for configuring and managing the company’s WIO system devices.
OleumTech does not plan to fix this vulnerability or the key management errors, because they don’t consider them vulnerabilities.
“The vendor states the key in the DH2 is for site-specific RF Network Authentication only, not encryption, and has no plans to change the DH2. The replacement DH3 platform will handle key management differently,” the advisory says.
The company and the researchers worked with ICS-CERT to understand and address the vulnerabilities, but couldn’t come to an agreement on the severity and validity of the flaws.
“Security researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive have identified multiple vulnerabilities in OleumTech’s WIO family including the sensors and the DH2 data collector. The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor would develop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus on vulnerability details and positive product developments to resolve identified vulnerabilities,” the advisory from ICS-CERT says.
The input-validation vulnerability would allow an attacker to execute arbitrary code on a vulnerable system.
“If a specially crafted packet is received by the DH2 Gateway with a high value on the battery voltage field, the DH2 Gateway radio receiver crashes. If this scenario is repeated multiple times, a DoS condition could occur. This could allow the attacker to execute arbitrary code,” the advisory says.