Exposed: Critical Vulnerabilities in Industrial Cellular Routers Threaten OT Networks
Thousands of internet facing vulnerable devices.
Industrial networks face grave risks as critical vulnerabilities in cellular routers jeopardize OT systems, emphasizing the urgency of proactive security measures.
Industrial cybersecurity firms, Otorio and Claroty, have conducted an in-depth analysis of cloud-management platforms used by industrial cellular router vendors, revealing a total of eleven vulnerabilities with the potential for remote code execution. Even if the cloud-management platform is not actively configured, these vulnerabilities pose severe risks to operational technology (OT) networks. The impact of these vulnerabilities extends beyond the specific vendors involved, potentially affecting thousands of industrial Internet of Things (IIoT) devices and networks in various sectors.
The research conducted by Otorio's security research team leader, Eran Jacob, and security researcher Roni Gavrilov, highlights the potential consequences of these vulnerabilities. The breaching of these devices can bypass the existing security layers in common deployments, as IIoT devices are typically connected to both the Internet and internal OT networks. This situation also increases the risk of propagation to additional sites through the built-in virtual private network (VPN), amplifying the impact on production and safety within the physical environment.
Attackers have various vectors through which they can exploit these vulnerabilities. These include gaining root access through a reverse-shell, compromising production network devices to facilitate unauthorized access and control with root privileges, and exfiltrating sensitive information or performing operations such as shutdowns. These vulnerabilities were responsibly disclosed to the vendors and the Cybersecurity and Infrastructure Security Agency (CISA), resulting in mitigations being implemented by the vendors to address the issues.
Teltonika Networks, a Lithuania-based company known for its LTE routers, gateways, and modems used across different sectors, has also encountered potential security flaws in its products. Otorio and Claroty specifically analyzed Teltonika's RUT241 and RUT955 cellular routers, along with the Teltonika Remote Management System (RMS) employed for monitoring and managing connected devices, whether deployed on-premises or in the cloud.
What was found?
During the analysis, eight types of security vulnerabilities were discovered in Teltonika's products. These vulnerabilities were briefly described in an advisory by the US Cybersecurity and Infrastructure Security Agency (CISA). Following the notification, Teltonika promptly released patches to address the identified vulnerabilities in both the RMS platform and the RUT routers. Otorio and Claroty provided a more detailed breakdown of their findings, shedding light on the potential consequences.
Exploiting the RMS vulnerabilities opens the door to arbitrary code or command execution with elevated privileges, unauthorized information retrieval, and the ability to route connections to remote servers. Similarly, vulnerabilities in Teltonika's routers enable arbitrary code or command execution. Of particular concern is the fact that certain vulnerabilities and exploit chains do not require any permissions or credentials for the devices. With thousands of Teltonika devices accessible from the internet, attackers can target exposed and non-exposed devices alike by compromising the cloud-based management platform.
Noam Moshe, a vulnerability researcher at Claroty, emphasized that 4G routers, such as those produced by Teltonika, are commonly utilized to connect remote IoT/IIoT sites or devices to the internet. Exploiting these vulnerabilities grants attackers access to the internal networks linked to the targeted devices. Consequently, unauthorized access to internal IIoT/IoT networks, vulnerable devices, and internal services across numerous organisations becomes a significant concern.
Final thoughts and remediation
The extensive adoption of industrial cellular routers underscores the urgency of addressing these vulnerabilities promptly. Teltonika Networks, alongside the impacted vendors, has taken critical steps by releasing patches and collaborating with researchers to mitigate the risks. Organisations utilizing the affected devices should diligently apply the necessary patches and follow the mitigation strategies outlined by Otorio and Claroty. By disabling unused cloud features, registering devices to limit remote access, and enforcing strong authentication measures, organizations can bolster the security of their industrial networks and protect against potential attacks.
