It’s no secret that cybersecurity for industrial and operational technology (OT) tends to be less secure than their IT counterparts…or that remote-access tools are a major weak point in general.
At DEF CON 32 in Las Vegas, SySS researcher Moritz Abrell went for a twofer, disclosing vulnerabilities in an industrial remote-access gateway advertised as having state-of-the-art security.
HMS marketing materials state 500,000+ devices are connected to Ewon products, and the Ewon Cosy+ is the most secure unit yet—making it an ideal choice for Abrell’s research, he told the audience.
“The goal was to find vulnerabilities in the software or firmware using a pure black-box approach,” Abrell said. “Surprisingly, this was quite easy.”
Abrell discovered flaws that allowed him to bypass blacklisted parameters and upload custom VPN configuration files, as well as a cross-site scripting vulnerability in a logging page that exposed administrative passwords in plain text.
These two vulnerabilities combined into an exploit chain that could enable an attacker to steal signed certificates for other devices, impersonate them, and hijack their VPN sessions. It could also allow an attacker to imitate legitimate infrastructure and eavesdrop on sensitive data, or even terminate remote access to Cosy+ users across the globe, according to the findings.
“This means that energy plants, industrial facilities, critical infrastructures, or oil platforms all around the world are no longer accessible, and the users trying to connect to them could be attacked,” Abrell told the audience.
Abrell and his team were also able to root an Ewon Cosy+, obtain firmware-specific decryption keys, and obtain correctly signed certificates for other machines used in VPN authentication.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“With these certificates, we were finally able to impact the whole remote-access solution, accessing devices of connected users and extracting sensitive data,” Abrell said.
Abrell told IT Brew via email that while HMS responded quickly to his findings and patched the back-end vulnerabilities, that “level of cooperation is not always the norm” in the sector. He did note the other flaws that allowed him to escalate control over the device require user patching.
“The unauthenticated remote code execution exploit chain is particularly concerning,” Abrell wrote. “This lies within the device itself, as its exploitation is contingent on whether the device has been updated…the potential for real-world exploitation remains high, especially if attackers gain physical or network access.”
“Systems in industrial networks often do not receive regular updates, leaving known vulnerabilities unpatched and posing ongoing security risks,” he added.
While manufacturers have historically chosen not to prioritize security, other factors include the cost, scalability, and the difficulties of securing a distributed environment.
Remote-access solutions are sometimes more difficult to secure in industrial than IT environments due to “higher demands, such as the need for ease of use combined with maximum compatibility with industrial protocols,” Abrell said.
Abrell said users should ensure they are enabling “network segmentation, applying regular updates, and restricting remote access to essential needs only” to minimize their potential exposure to remote-access breaches. For high-security infrastructure, he added, operators should consider hosting their own solution rather than rely on cloud services.