• The study focuses on the Sierra Wireless AirLink cellular routers, crucial for connecting OT/IoT networks to the internet.
• These routers are used in various critical infrastructure sectors, including manufacturing, healthcare, government, energy, transportation, and emergency services.
• Sierra Wireless, OpenNDS, and Nodogsplash have patched several vulnerabilities, but challenges remain due to the abandonment of projects like TinyXML​​.

Flaws and Examples

The vulnerabilities are grouped into five impact categories​​:

1. Remote Code Execution (RCE): Attackers can take full control of a device by injecting malicious code.
2. Cross-Site Scripting (XSS): This allows for the injection of malicious code on clients browsing the ACEmanager application, potentially leading to credential theft.
3. Denial of Service (DoS): These vulnerabilities can be used to crash ACEmanager, rendering it unreachable or causing it to restart automatically.
4. Unauthorized Access: This involves design flaws like hardcoded credentials and private keys, which could allow attackers to perform man-in-the-middle attacks or recover passwords.
5. Authentication Bypasses: These allow attackers to bypass the authentication service of the captive portal and directly connect to the protected WiFi network.

Severity of Vulnerabilities: Among these 21 vulnerabilities, one is of critical severity, nine have high severity, and eleven have medium severity. These vulnerabilities could allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device, and use it as an initial access point into critical networks.

Affected Sectors: The affected devices are found in multiple critical infrastructure sectors. These include manufacturing, healthcare, government and commercial facilities, energy and power distribution, transportation, water and wastewater systems, retail, emergency services, and vehicle tracking. Additionally, these routers are used to stream video for remote surveillance and connect police vehicles to internal networks.

Extent of Exposure: Over 86,000 vulnerable routers are exposed online. Notably, less than 10% of these exposed routers have been confirmed to be patched against known vulnerabilities found since 2019, which indicates a large attack surface. Moreover, 90% of devices exposing a specific management interface (AT commands over Telnet) have reached the end of their life, meaning they cannot receive further patches​​.

Specific examples include:

• CVE-2023-40458: ACEmanager enters an infinite loop when parsing malformed XML documents, leading to DoS.
• CVE-2023-40459: A NULL-pointer dereference in ACEmanager during user authentication, leading to limited DoS.
• CVE-2023-40460: Attackers can upload HTML documents to replace legitimate web pages in ACEmanager, leading to XSS attacks.
• CVE-2023-40461 and CVE-2023-40462: Issues with uploading client certificates and client TLS keys in ACEmanager, enabling JavaScript code injection.
• CVE-2023-40463: Hardcoded hash of the root password in ALEOS, allowing unauthorized root access.
• CVE-2023-40464: Default SSL private key and certificate in ALEOS, enabling impersonation and traffic sniffing/spoofing​​.

Mitigation or Workaround

• Patching is essential. Sierra Wireless has released updated ALEOS versions containing fixes.
• Change default SSL certificates.
• Disable unnecessary services like captive portals, Telnet, and SSH.
• Deploy web application firewalls to protect against web-based vulnerabilities.
• Use OT/IoT-aware intrusion detection systems to monitor network connections​​.

Conclusion

• Vulnerabilities in OT/IoT network infrastructure are a major concern and are often left unpatched.
• Less than 10% of routers exposed online are patched against known vulnerabilities.
• Embedded devices lag in addressing vulnerabilities and implementing exploit mitigations.
• Incomplete fixes can lead to new issues, as seen with CVE-2023-40460, originating from an incomplete fix for a previous vulnerability.
• Manufacturers need to understand and address the root causes of vulnerabilities for effective long-term solutions​​.

The post Over 86,000 Routers at Risk – Is Yours One of Them? Shocking Vulnerabilities in Widely Used OT/IoT Routers appeared first on Information Security Newspaper | Hacking News.

The new method allows stealing information and data from air-gapped systems by using the SATA cables as a wireless antenna to transmit data and information from a hacked PC onto a receiver somewhere close to a distance of less than 4 feet. Air-gapped systems are used in critical environments like nuclear power plants that need to be physically isolated from networks that are connected to the public internet. The same researcher   has been involved in more than 12 projects researching various techniques for stealing data from air-gapped networks.

His team has proved that isolated networks can still allow leaking of sensitive information via signals (light, vibrations, sound, heat, magnetic or electromagnetic fields) generated by components like monitors, speakers, cables, CPU, HDDs, cameras, keyboards.

For this SATAn attack to work, an attacker first needs to infect the target device with a piece of malware. Once installed the malware can use SATA cables for performing the exfiltration by modulating and encoding it. Although air-gap computers have no wireless connectivity, malware will allow the use of the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. 

The experiments show that the SATA 3.0 cables emit electromagnetic emissions in various frequency bands; 1 GHz, 2.5 GHz, 3.9 GHz, and +6 GHz. The idea behind the covert channel is to use the SATA cable as an antenna. Also during the research they found out that reading operations on SATA are more effective in producing stronger signals than writes operation. This also makes the overall attack situation easier, as writing can often require more privileges.   Using this technique data transmission with a bit rate of 1 bit/sec is possible, which is shown to be the minimal time to generate a signal which is strong enough for modulation.

 A countermeasure proposed in the paper is that of a SATA jammer, which monitors for suspicious read/write operations from legitimate applications and adds noise to the signal.

The post New Technique “SATAn” to hack Air-Gapped computers using SATA cables as Antenna appeared first on Information Security Newspaper | Hacking News.