Recently we looked at a few ethernet-to-cellular and serial-to-cellular gateways for security issues by scavenging and analyzing firmwares from a few common vendors.  These are devices that are targeted towards Industrial users (and, ironically, ATMs are also in the target demographic).

A popular trend with these devices is the usual ‘management backdoor’: management services are bound to all interfaces (including the cellular interface), and a special password will give anyone access.  Most often the backdoor password is based on device serial number or even Ethernet MAC address, either taking a part of that address or performing a simple hashing operation against it. Ironically these mechanisms can be uncovered by consulting sales images on eBay, which provide many images of all three numbers (serial, MAC, and default password).

Very frequently gateways are deployed with SNMP enabled, and the device serial number and MAC address can be retrieved remotely.  End users are unlikely to completely secure their devices, and change only the known administration password, leaving the remainder of settings as they are.

Many devices can be found on Shodan, and quite a large subset of those have common industrial/build management protocol ports like 44818, 502, 47808, and 20000 forwarded to an industrial field device.

Dale wrote a nice blog series about a part of this issue all the way back in 2010 (part 1), (part 2). A common problem is that companies still don’t know what it is that they want out of a cellular gateway, and the carriers still don’t always understand exactly what they are selling with their service. As Dale said in 2010, there isn’t an intent to mislead. Generally an end user asks for cellular service, assumes the device will be isolated, and buys what is offered.

Some carriers are starting to have wireless engineers who specialize in industrial applications.  When in doubt, seek one of these out.  And trust, but verify: it doesn’t hurt to check that access to the device is restricted in the way that you expect.  Remember that most wireless gateways have vulnerabilities, and can’t be relied upon by themselves, to provide security for your field equipment.

Image by fastlizard4