Internet-connected industrial devices could be accessible to anyone, with no password, due to a coding error by a gateway manufacturer.
Taiwanese firm Advantech patched the firmware in some of its serial-to-IP gateway devices in October to remove a hard-coded SSH (Secure Shell) key that would have allowed unauthorized access by remote attackers.
But it overlooked an even bigger problem: Any password will unlock the gateways, which are used to connect legacy serial devices to TCP/IP and cellular networks in industrial environments around the world.
Researchers from security firm Rapid7 discovered the vulnerability in the revised firmware, version 1.98, released for the Advantech EKI-1322 Internet protocol (IP) gateway, which can connect serial and Ethernet devices to a cellular network.
The firmware contains an open-source SSH server called Dropbear that has been heavily modified. As a result of these modifications, it no longer enforces authentication, allowing any user to connect to it with any public key and password, the Rapid7 researchers said in an advisory.
In addition, there might be another backdoor account built in with a hard-coded password, separate from the previously found and removed SSH key, the researchers said.
The new issue was fixed in version 2.00 of the firmware for EKI-1322, released on Dec. 30. Users are advised to update to this version as soon as possible.
Even though only the EKI-1322 firmware was tested, the Rapid7 researchers believe that the same authentication bypass flaw might exist in all other Advantech EKI serial-to-IP gateways.
Advantech advertises such products as a simple way to bring remote management and data accessibility to thousands of industrial devices that cannot natively connect to TCP/IP networks. However, vulnerabilities like this one highlight the risks of connecting such sensitive equipment to the Internet and the importance of strong network segmentation policies in industrial environments.