It has been reported that security experts have found multiple vulnerabilities in Moxa industrial switches (in the EDS-405A, EDS-408A, EDS-510A, and IKS-G6824A series) that are used to build industrial networks for oil and gas, transportation, maritime logistics, and numerous industrial sectors. By exploiting these flaws, hackers could recover the password from a cookie intercepted over the network or by using Cross-Site Scripting (XSS), extract sensitive information, or bruteforce credentials using the proprietary configuration protocol to obtain control over the switch and possibly the entire industrial network.
Ofer Maor, Director of Solutions Management at Synopsys:
“Unlike many disclosures, where a single vulnerability is identified, the collection of vulnerabilities found in the Moxa switches is a clear indication that insufficient thought has been given to security in the development of these products. Identification and publication of such a collection of vulnerabilities together is usually the result of a security researcher spending time looking into a product which has previously not had much effort put into security, allowing them to uncover, in a relatively short time frame, a lot of vulnerabilities. Looking at the list, some of these vulnerabilities are results of omissions of fairly rudimentary controls, which is another indication that not much effort has been put into the security of these systems.
Unfortunately, this is not surprising. The historically secluded nature of critical infrastructure devices (i.e. they are on dedicated networks that were not connected to the internet) allowed them to “stay under the radar” as far as attack surfaces go, and allowed the vendors, or at least some of them, to keep ignoring security. For that reason, when researchers look into some of these systems, the findings represent what one would expect when looking into the security of a system for the first time.
Like with any type of software, there is no magic pill here. Vendors of critical infrastructure devices and software, much like any other IoT vendor, must build secure development programs, starting with secure architecture, through secure coding, training of developers, and implementing of rigorous automated and manual testing procedures for security, much like they do for quality. This maturity of securing software has already been adopted by other industries, like cloud vendors, financial services and online retailers, and will have to be adopted by anybody who is starting to connect to the world, whether it is critical infrastructure, automotive, consumer IoT, etc.”