Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks

Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available.

Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available.

The flaws were discovered nearly one year ago by researchers at industrial cybersecurity firm OTORIO in IR615 LTE routers made by industrial IoT solutions provider InHand Networks. The company has offices in China, the U.S. and Germany, and its products are used all around the world. InHand says its customers include Siemens, GE Healthcare, Coca Cola, Philips Healthcare and other major companies.

InHand industrial router vulnerabilitiesAccording to an advisory published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), OTORIO researchers discovered a total of 13 vulnerabilities in the IR615 router.

The list includes critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues, as well as high-severity improper authorization and cross-site scripting (XSS) vulnerabilities.

CISA warned that malicious actors could exploit the vulnerabilities to take complete control of affected devices and intercept communications in an effort to steal sensitive information.

OTORIO told SecurityWeek that it has identified thousands of internet-exposed InHand routers that could be vulnerable to attacks, but the company noted that exploitation from the internet requires authentication to the router’s web management portal. An attacker could authenticate to the device using default credentials or by leveraging brute-force attacks to obtain login credentials. Brute-force attacks are made easy by the router’s weak password policy and a flaw that can be used to enumerate all valid user accounts.

The cybersecurity firm warned that an attacker could leverage the vulnerabilities to infiltrate an organization. From the InHand device, the attacker could move to other industrial systems within the victim’s network.

SecurityWeek ICS Cyber Security Conference

“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, penetration tester at OTORIO. “The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”

OTORIO reported its findings to InHand Networks, through CISA, in November 2020. However, CISA said in its advisory that the vendor “has not responded to requests to work with CISA to mitigate these vulnerabilities.” CISA has provided some generic mitigations to help impacted organizations reduce the risk of exploitation.

SecurityWeek has reached out to InHand Networks for comment and will update this article if the company responds.

UPDATE 06/30/2022: InHand has informed SecurityWeek that an advisory addressing the vulnerabilities has been published. An update that should patch the flaws has been released. 

Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers

Related: Several Vulnerabilities Expose Phoenix Contact Industrial 4G Routers to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...