Industrial control gateways play a critical role in industrial infrastructure, linking systems and sensors that communicate using protocols such as Modbus or serial to IP networks for easier remote management and monitoring. However, many such devices have critical vulnerabilities that stem from well-known insecure programming practices that could have been easily avoided.
“It’s like exploiting in the 1990s,” said Thomas Roth, a German security researcher and consultant who analyzed the firmware of industrial control gateways from several vendors over the past year. Roth presented his findings at the Black Hat USA security conference last week.
While there’s a general belief that industrial gateway devices are air-gapped, thousands of them are accessible directly from the internet and many are severely outdated, according to Roth. Once you locate one such device, you can easily find others by looking in the same IP range, because it’s a good chance the IP netblock belongs to an industrial ISP that services many asset owners.
One of the gateways Roth looked at was the Moxa W2150A, which is used to connect programming logic controllers (PLCs), meters and sensors to traditional wireless networks. The latest firmware for the device is encrypted, but it uses a hardcoded key that Roth was able to extract from older versions.
The device exposes a web-based administration interface, a proprietary firmware upgrade protocol running on port 4900, Telnet, the Simple Network Management Protocol (SNMP) and a serial driver protocol.
The researcher found cross-site scripting (XSS), cross-site request forgery (CSRF) and insecure authentication issues in the web interface, as well as stack overflows in the proprietary upgrade protocol that can be exploited to achieve a full device compromise. A zero-day exploit for a vulnerability in web server used by the device also recently was publicly disclosed.
What’s interesting is that some of the bugs found by Roth in the Moxa device were also found in the past by other researchers in other devices from the same vendor. It seems the manufacturer only fixes bugs in the products they were found in, without investigating whether other models that share some of the same code are also affected.
“This is a whole security culture problem in my view,” Roth said. “Some of the more expensive models from the ‘secure’ line of products share the same bugs with the cheaper models.”
Another device investigated by the German researcher is the Advantech EKI-1522, an Ethernet-to-serial gateway that comes in various configurations with WiFi, GSM, Ethernet and so on. The device firmware is not encrypted and uses a very old Linux kernel version and a web server called boa, whose last release was in 2005.
The main binary on the device that handles the serial-to-Ethernet translation is called edgeserver and it uses insecure programming functions, including sprintf, that often generate arbitrary code execution vulnerabilities. Sure enough, Roth found a remotely exploitable vulnerability in a service that gave him root access on the device. He also found XSS, CSRF and authentication issues in the web interface.
Unlike modern operating systems in which gaining full access requires, at the very least, chaining a remote code execution and a privilege escalation exploit, getting root access on industrial control gateways is extremely easy and requires a single vulnerability.
“That’s because everything runs as root on these devices,” Roth said. “They run outdated Linux kernels, outdated web servers and so on. If any of those components fail, you are root on the machine.”
A third device that Roth investigated was a Lantronix EDS2100, a simple serial-to-Ethernet server that runs a proprietary operating system called EvolutionOS. The security of this particular device was actually better than of the previous two, and there was even documentation from the vendor on configuring the device securely.
Nevertheless, Roth still managed to find CSRF and configuration injection issues in the web interface, as well as a bug in the web server that allowed for authentication to be bypassed.
The most recent devices that Roth looked at were a Schneider PowerLogic EGX100 Ethernet-to-Modbus gateway that’s widely used by asset owners and a proprietary radio-based system called the GE MDS that’s typically found in electrical grids and water management facilities such as dams.
The Schneider EGX100 had trivial vulnerabilities in its web interface, but also some more serious ones that Roth couldn’t disclose publicly because he’s still coordinating disclosure with the vendor. The GE MDS supports optional encryption of traffic, but Roth found a way to extract the pre-shared traffic encryption key, which means that compromising one such device can lead to the compromise of an entire network.
Roth thinks there are worse industrial gateway devices out there in terms of security than the ones he looked at. There are many devices that run eCos, a real-time operating systems (RTOS) whose last release was in 2009 and has no memory protection. There are devices that run Linux 2.4, which was released in 2001 and has publicly known vulnerabilities. There are also many cheap industrial gateway devices available for sale on eBay that have built-in SSH and serial backdoor accounts.
One way to protect these devices would be to access them only over VPN connections. Many of them support various types of VPN technologies, but unfortunately, the stacks are highly outdated and full of issues such as broken IKE parsers and bad crypto support, according to Roth.
“We really have an issue,” the researcher said. “We have no integrity protections on any of these devices. We literally can’t make sure that such a device has not been tampered with,” he said.
Vendors’ firmware download portals are crazy insecure, too, and have cross-site scripting issues that could allow attackers to build phishing links pointing to the official websites that distribute malicious firmware, the researcher said. “From my perspective, there’s no security culture for many of these vendors.”