There are multiple vulnerabilities in OleumTech’s WIO family including the sensors and the DH2 data collector, according to a report on ICS-CERT.
Researchers Lucas Apa and Carlos Mario Penagos Hollman of IOActive coordinated the vulnerability details with ICS-CERT and OleumTech hoping the vendor would develop security patches to resolve these vulnerabilities.
While ICS-CERT has had many discussions with OleumTech and IOActive this past year, there has not been consensus on vulnerability details and positive product developments to resolve identified vulnerabilities.
In the interest of alerting the asset owners using the OleumTech product about these vulnerabilities, ICS-CERT is publishing this advisory, believing these vulnerabilities have a high probability of remote exploitability.
The following OleumTech Products suffer from the issue: OleumTech WIO DH2 Wireless Gateway and all OleumTech Sensor Wireless I/O Modules versions.
Two identified vulnerabilities may potentially allow a Man-in-the-Middle (MitM) attack to either monitor for reconnaissance or insert specially crafted data packets into the data stream. The third vulnerability can lead to a denial-of-service (DoS) condition under the correct circumstances.
OleumTech has headquarters in Foothill Ranch, CA. The affected products are part of the OleumTech WIO System, developed to provide end-to-end wireless remote monitoring infrastructure. According to OleumTech, WIO products see action across several sectors including, energy, water and wastewater systems and others. OleumTech said these products see use primarily in the United States and Canada.
If a specially crafted packet ends up received by the DH2 Gateway with a high value on the battery voltage field, the DH2 Gateway radio receiver crashes. If this scenario repeats multiple times, a DoS condition could occur. This could allow the attacker to execute arbitrary code.
CVE-2014-2360 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
When connecting any of the devices to BreeZ, it is possible to read the site security key of the device without authentication. This could allow someone, who has stolen a node or has physical access to the device to obtain the site security key to communicate freely with other network devices. However, an attacker cannot read this key read remotely when the data system is up and running, only in the manual setup mode. The data flow one way from sensor to gateway collector, and there is no control channel back to the sensor. To reset the key, the device must go offline and manually updated.
CVE-2014-2361 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.2.
The Site Security Key generates using the function time64() from the standard C library. This is a 4-byte number that corresponds to the project creation calendar time. Using this value as a site security key could allow an unauthenticated device to guess the site key by trying a considerably low number of possible combinations.
CVE-2014-2362 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
These vulnerabilities are remotely exploitable. Right now there are no public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
The vendor and IOActive researcher team do not completely agree with ICS-CERT about the severity and validity of these vulnerabilities. The vendor has stated they do not plan to resolve vulnerabilities they consider not valid. However, the vendor has provided the following statements directed at addressing several of the original vulnerabilities:
• All Data Messages are sent in Plain Text¾These data can be encrypted by using an OleumTech specific key programmed and enabled by the third-party radio component vendor, or a specific key can be created and installed during manufacture by OleumTech. This option is available to users, so ICS-CERT believes this is not a vulnerability, but a user configuration issue.
• Key Management Errors & Use of Cryptograhpically Weak PNRG¾The vendor states the key in the DH2 is for site-specific RF Network Authentication only, not encryption, and has no plans to change the DH2. The replacement DH3 platform will handle key management differently.