Vulnerable Out of Band Consoles Put Industrial Assets at Risk

Researchers Find Internet-Exposed, Poorly Protected Out of Band Consoles Commonly Used in Maritime and Oil & Gas Industries

Vulnerable, improperly protected Out of Band (OOB) consoles expose ships, drilling rigs, remote shore-based facilities, and even mobile vehicles to attackers, researchers from security firm Pen Test Partners warn.

The use of OOB management proves highly useful in the event of equipment failure or lost satellite connections, especially since it incurs significantly lower costs compared to having to fly in an engineer to remedy the situation. 

Learn More: Explore Industrial Cybersecurity at SecurityWeek’s ICS Cyber Security Conference

OOB consoles found on-site ensure that incidents can be resolved fast, via a backup satcom connection. What may cause an issue, however, is keeping poorly protected OOB consoles exposed to the Internet, Pen Test Partners’ Ken Munro says. 

Numerous Uplogix 3200 devices – an OOB console that protects passwords poorly (CVE-2019-12873) and which has reached end-of-life (EOL) four years ago – can be found connected to the public Internet, which poses a great risk for their owners. 

Normally, physical access to the device is required to recover credentials, but credentials are often re-used across sites and devices resold, not to mention that weak credentials render devices susceptible to brute force. 

“Brute force can take a lot of bandwidth. A lot of bandwidth on a high-latency connection. A very expensive connection. Ping responses can take 700ms or more,” Munro points out. 

A Shodan search revealed over 50 devices connected to the Internet, most of them in the United States. Attacks on them could either result in device compromise or a huge bill for the victim, given the costly connection, the researchers argue. 

However, OOB management devices that use cellular data can also be targeted if not properly secured. 

The eWon Flexy Internet of Things router, for example, uses default credentials (adm/adm), protects security keys rather poorly, and also exposes encrypted VPN Private Certificate. And there are roughly 3500 of such devices accessible from the public Internet, the researchers say. 

While keeping OOB consoles out of the Web (behind a NAT) and ensuring that strong credentials are used should mitigate risks, there are plenty of other issues that impact maritime security overall, Pen Test Partners’ Nigel Hearne reveals. 

Over the past year, the researchers noticed reoccurring issues such as the lack of understanding and interaction between IT and OT, deliberate bypass of security features, poor configuration and management, and “terrible” security provided by maritime technology vendors. 

During their pen testing of ships and rigs in 2019, the researchers found a long list of issues, such as a maritime-specific security product that was vulnerable, poor documentation of on-board networks, Wi-Fi access points connected to critical systems, dual-homed PCs bridging networks, supplier remote access systems still in place, password re-use, default credentials, and lack of adequate patching. 

Related: Hackers Can Hijack, Sink Ships: Researchers

Related: Maritime Cybersecurity: Securing Assets at Sea