13 Vulnerabilities Discovered in a Widely Used Industrial Router

OTORIO’s Pen Testers (PT) recently analyzed one of  InHand’s industrial routers and discovered 13 highly severe vulnerabilities, including two different Remote Code Execution vulnerabilities, Account Takeover, Authorization Bypass, and Malicious File Upload.

As industrial companies continue to digitally transform every aspect of their operations at breakneck speeds, the advantages--and disadvantages--of digitization are quickly rising to the surface. Industrial routers are at the forefront of this transformation; these ruggedly designed hardware components were built for harsh industrial environments, and deliver the reliable connectivity critical to ensuring business continuity for remote workforces dealing with organizations’ crucial OT layer. However, in the rush towards digitization organizations can mistakenly leave their industrial routers and network components open to the internet. This significantly raises the risk of internal network breaches that can reach HMIs and PLCs that connect directly to them.

OTORIO’s world-class Pen Testers (PT) recently analyzed one of  InHand’s industrial routers and discovered 13 highly severe vulnerabilities, including two different Remote Code Execution vulnerabilities, Account Takeover, Authorization Bypass, and Malicious File Upload. InHand is a leading provider of IoT products for the industrial sector that specializes in M2M routers, IoT gateways, vehicle gateways, industrial Ethernet switches, rugged computers and IoT management platforms. Their remote access service--InConnect--is a plug & play service that builds remote networks for industrial machines, enabling remote access to devices at any time and from anywhere.

Leveraging online networks scanners such as Censys and Shodan, OTORIO’s researchers discovered thousands of InHand router devices currently in use. Apparently, these highly popular devices are deployed across many industrial environments, and unfortunately, many organizations leave them exposed to external actors via the internet.

Successful remote exploitation of InHand’s’s vulnerabilities requires that hackers authenticate themselves to the router web management portal. This is easily done using default credentials, brute force (the IR615 router has weak password policy) and the enumeration of all valid users in the router using the enumeration vulnerability. This would enable malicious actors to introduce substantial risks to an organization by:

• Performing remote actions on the product
• Intercepting and stealing sensitive information
• Impersonating administrative actions
• Taking full control over the product
• Deleting system files
• Executing remote code
• Uploading malicious files

By performing Remote Code Execution, malicious actors could potentially gain access to an affected organization’s corporate and operational networks. From there, the path to the critical SCADA, OT and IIot components that control essential machinery and infrastructure is wide open, allowing malicious actors to easily wreak havoc on an organization's core operations.

Additionally, attackers could leverage the vulnerabilities to launch hard-to-detect phishing campaigns that would give them access to highly privileged accounts. With these accounts, attackers could change administrative settings of the network device to remotely perform configuration changes, modify administrator settings and even run system commands on the router.

Finally, attackers could take full control over InHand’s cloud-based products and execute code within the different internal networks that the products connect to.

OTORIO Industrial Router Security Recommendations

To date, the vulnerabilities still lack formal fixes from InHand. In the meantime, OTOTORIO recommends all companies to check that their routers and other OT devices are not accessible via the internet and to set up security controls such as firewall, VPN, ACL in their operational network.

OTORIO  encourages companies using InHand Router solutions to follow CISA’s  recommendations to minimize risks created by the exploitation of these vulnerabilities:

• Minimize network exposure for all control systems and devices and ensure that they’re not accessible via the internet.
• Set up firewalls for control system network and remote devices while isolating them from the business network so that IT penetrations don’t cross into the OT layer.
• Use only secure remote access methods such as VPNs while constantly verifying that they’ve been updated to the latest version available.

*****

InHand Networks is Addressing The Issue

In a statement released on their website, InHand addressed the vulnerabilities: "At InHand Networks, it is always our top priority to keep tracking, identifying and proactively addressing ever-evolving cybersecurity threats. We are committed to continued technological innovation and product development to ensure the security of management systems, IT infrastructure and connected devices.

We must all play a role to address threats. Our dedicated cybersecurity team working with our local branch professionals is available to address customer concerns or immediate threats to system security. We also appreciate the contribution made by our users, customers and professional third-party agencies in helping improve the security of our products and systems."

Read more on InHand advisory and download the company's latest firmware update at: https://inhandnetworks.com/product-security-advisories.html

*****

To learn more, read OTORIO’s Solutions Portfolio and see how we can help you protect your organization from industrial cyber attacks.