4G routers have become prevalent in connecting remote industrial sites to the network. Admins rely on them to act as a gateway linking industrial networks to the network in order to perform routine and emergency maintenance on remote sites.
Understanding that thousands of internet-facing 4G routers are reachable not only by legitimate users but also by attackers, Claroty Team82 and researchers from OTORIO decided to look at one of the leaders in this space, Teltonika, to understand the attack surface of industrial IoT routers.
In this episode of the Nexus podcast, Team82 researcher Noam Moshe describes the eight vulnerabilities found in Teltonika RUT routers and in its cloud management platform, the Teltonika Remote Management System, and three distinct attack vectors that emerged from this research. Teltonika, meanwhile, has updated both the RUT router and cloud platform to address these vulnerabilities.
“What happens when you have a thousand remote sites? It’s not so easy to connect each and every one them with your conventional ISP and internet connection; that’s why we’re seeing more 4G routers because it allows us to connect the router the internal network and now using 4G, this router acts like a gateway connecting our network to the internet. Because of this, we see thousands of internet-facing 4G routers, and we thought: ‘What cool attack vectors can we find, how can we exploit them, and what could it lead to?’”
Team82 and OTORIO used chains involving each of the eight vulnerabilities to attack these routers in three distinct ways: targeting internet-exposed services, through cloud account takeover, and exploiting cloud infrastructure vulnerabilities. Successful exploits could lead to a number of outcomes, including monitoring network traffic, stealing sensitive data, hijacking internet connections, and accessing internal services.
A number of the vulnerabilities were assessed high criticality CVSS v3 scores, including a 10.0 for CVE-2023-32347, for an improper authentication scheme that allowed users to simply register devices to the Teltonika cloud using the device MAC address and serial number, both of which are printed on the device label and easily accessible to anyone wishing to spoof the device.
“It’s easy to brute force this identification and impersonate the device,” Moshe said. “This issue of weak authentication is widespread and we’ve seen it many times. Companies should use better, more random credentials because here they used the MAC address and serial number as credentials. Teltonika implemented more cryptographically secure device authentication in order to block this vulnerability of device impersonation and device stealing.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.