In late 2016, security researcher Justin Shattuck was on assignment for an organization that was under a denial-of-service attack that was compromised by a large number of devices, some of which appeared to be hosted inside the network of a major European airport. affect. As he scanned the airport network from the Internet—and later, with the airport operators’ permission, from within the network—he was able to finally confirm that the devices were part of several previously unseen botnets that Submitting a record-breaking service attack on websites.
One of the affected devices is a wireless gateway from Sierra Wireless. Authorized IT administrators are used to connect to the airport network in the event that primary links fail. Surprised that such a sensitive material could become a foot soldier in a denial-of-service attack, Shattuck began to investigate. What he saw surprised him. Not only does an Internet scan show that 40,000 such gateways are operating in other networks, but a large percentage of them are revealing a surprising amount of sensitive data about the networks they connect to.
Affects people’s lives
Worse, it turns out that many unsecured doors are installed in police cars, ambulances, and other emergency vehicles. Not only are the devices publicly announcing the locations of these first responders, but they are also displaying configurations that can be used to control the devices and, from there, possibly control dash cameras, onboard computers -vehicles, and other reliable devices. on wireless gateways for Internet connections.
An informal investigation at the time found that 47 municipalities and 29 police officers used unsecured devices. At one point early on, Shattuck, who is the chief threat researcher for F5 Networks, tracks several cars as they drive around Houston. By tracking their locations over time and noting the places they often stopped, Shattuck soon realized they were police drivers.
Shattuck said he has spent the past 22 months investigating the problem and helping wireless gateway providers—which, other than Sierra Wireless, also include Moxa and Digi—start fixing it. Despite the efforts, he said that viruses often reveal large numbers of unprotected devices continue to expose not only emergency first responders but also remote pipelines, hydrogen fuel stations, monitoring systems traffic, tolls, bridges, and airports. Now, after two years of keeping the problem a carefully guarded secret, he plans to Discuss it in detail on Thursday at the Black Hat security conference in Las Vegas.
“It’s time to talk about this,” Shattuck told Ars. “This touches people’s lives in ways you only see in the movies.”
Shattuck said one of his main concerns is that unsecured devices reveal a host of sensitive information about first responders in real time. When someone first monitors a feed, it is not immediately that it comes from a device in a police car or an ambulance, but with a small amount of tracking it quickly becomes clear. A car, for example, that shows up in the same area every eight hours is definitely a police cruiser. Likewise, the vehicle that visits hospital emergency rooms is usually an ambulance. Often, Shattuck would see police cruisers often stop at a residence and stay there for several hours, an indication that the location may be the officer’s home.
Disclosing that information on the open Internet presents many risks. Of particular concern is the risk to first responders when their real-time location is broadcast without their knowledge. Police often depend on the secrecy of their location. Criminals or organized criminals who have a hold on the feed can use it in physical attacks or to evade law enforcement. Because unsecured devices also leave configuration information about the networks they’re connected to, savvy hackers can also use that information to access police or hospital networks, monitor or delete dash cam footage, or monitor the driver’s Internet or radio communications.
“If somebody can tell where those police officers are, then you can start to bring them back,” Shattuck said. “You can follow them. You can compromise a trusted device by taking it offline or man-in-the-middle.”
There is no easy fix
Fixing the problem has proven frustrating, in part because it doesn’t stem from a cause. In some cases, it is the result of firmware bugs that do not restrict devices that can properly access the Internet to authorized users. In some cases, it’s because devices are shipped with default credentials that no one has changed. In other cases, someone configures services that leak sensitive data. Affected devices include Sierra Wireless Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50; the Digitransport WR44; and Moxa Onecell G3.
“The key issue is that devices are shipped with a configuration UI that is exposed to the public Internet instead of using a platform like ALMS (short for Airlink Management Service) for remote control and / or use of product security features such as IP Trust to restrict access to the device to authorized hosts,” said Larry LeBlanc, security engineer for Sierra Wireless, about why home products -your job is not safe. In many cases, third-party services install devices using static, publicly available IP addresses and do not change the default credentials.
Over the past few years, Sierra Wireless has made six recommendations Here, Here, Here, Here, Herewe had Here. New Sierra Wireless products ship with all available security patches and a secure stand-by—for example, the configuration view is not enabled by default.
The company has also introduced a free security disable service to help users secure their devices. Anyone operating Airlink gateways that can access the public Internet can use the service by calling Sierra Wireless Technical Support at 877-552-3860. People who use gateways from other providers should contact their technical support departments.
On Wednesday morning, F5, released this news describe its findings. Shattuck said that no matter how overlooked the small devices are, they represent a risk to emergency first responders.
“To them it’s just a black box in an ambulance,” he said. “They have no idea that the little black box that hits your head is what lets people in. The point is that we can control the functions connected to the machine.”