Red Lion Controls is preparing a firmware update to address a vulnerability in the N-Tron 702-W Industrial Wireless Access Point that can be exploited by an attacker to compromise communications and the integrity of the device.
According to an advisory published by ICS-CERT this week, a researcher discovered hardcoded SSH and HTTPS encryption keys that are shared across N-Tron 702-W Industrial Wireless Access Point devices. Customers do not have the ability to generate new keys for their devices.
An attacker can use the keys from one product to decrypt traffic from any other device. The flaw, which affects all versions of the N-Tron 702-W Industrial Wireless Access Point, can be exploited remotely even by an attacker with low skill, ICS-CERT noted.
The vulnerability was identified by researcher Neil Smith back in 2012. Smith had been working at social risk management company ZeroFOX at the time when he discovered the vulnerability.
ICS-CERT has decided to disclose the vulnerability (CVE-2012-4716) because the vendor has been unresponsive. The existence of the security hole has been made public to warn critical infrastructure asset owners of the risk of using this N-Tron equipment.
Red Lion Controls representatives told SecurityWeek that a fix for this issue is currently in development and that a new firmware version will be deployed in the coming weeks.
Red Lion customers who want to be notified when the update becomes available are advised to contact the company’s technical support team at support(at)redlion.net.
“Red Lion is committed to providing our customers with reliable, secure industrial networking devices, and will address this issue with the highest priority,” Red Lion said in an emailed statement. “Further, we’re reviewing our internal escalation procedures regarding communiques from ICS-CERT so that we may respond in a more timely fashion to their inquiries.”
UK-based instrumentation and controls company Spectris plc acquired Mobile, Ala.-based rugged industrial networking components manufacturer N-Tron in 2010 for $51 million. In February 2013, Spectris combined N-Tron, Sixnet and Red Lion under the Red Lion brand.
N-Tron products are deployed in sectors such as energy, commercial facilities, nuclear reactors, transportation, and water and wastewater in more than 50 countries across the world.