Claroty exposes vulnerabilities in Teltonika’s IIoT products
The evolution of Industry 4.0 demands high connectivity of devices wherever they are located. Using 4/5G routers to enable such connectivity has been and will always be one of the foundations allowing hyper-transformation to drive this connectivity.
In IoT, the challenge starts with the need to scale up; most solutions need to support a huge fleet of 4G routers, enabling sys-admins to configure, monitor, and maintain all of their devices. This is where cloud management platforms are introduced, allowing sys-admins control over their devices remotely, through the internet.
However, with the move to smart cloud-controlled devices comes risk, as vulnerabilities in the cloud platform could introduce new attack vectors to companies, risking their remote site and vulnerable IoT/IIoT networks.
Claroty's research arm, Team82, has disclosed eight critical vulnerabilities in Teltonika Networks' IoT products to explore this new threat landscape.
Teltonika specialises in manufacturing and developing networking devices, including routers, modems and industrial networking equipment, with these vulnerabilities affecting thousands of internet-connected devices worldwide. The research specifically focused on the Teltonika Remote Management System and RUT model routers, one of the most popular routers businesses use globally.
The Teltonika Remote Management System (RMS) product is a cloud-based or on-premises platform that enables users to monitor and manage their connected devices from anywhere. The RMS platform provides real-time monitoring and control, making it easier for organisations to track their devices' and network's status and performance. The platform also offers advanced features such as device management, software and firmware updates, GPS tracking, and data visualisation. In addition, the RMS platform is designed to be scalable and secure, ensuring that businesses of all sizes can benefit from the platform's capabilities.
The research revealed multiple attack vectors, including exploiting internet-exposed services, cloud account takeover, and cloud infrastructure vulnerabilities. These vulnerabilities could allow attackers to compromise industrial routers and IoT devices, leading to significant impacts such as monitoring network traffic, stealing sensitive data, hijacking internet connections, and accessing internal services.
Teltonika RMS cloud-based management platform is vulnerable to an unauthorised attacker registering previously unregistered devices on the RMS, but only if the router's RMS management feature enabled by default has not been disabled. This could enable the attacker to perform different operations from the cloud on unsuspecting user's routers, including remote code execution with root privileges (using the Task Manager feature on RMS).
"Another vulnerability (CVE-2023-32348), enabled us to make requests from the RMS infrastructure. This meant we were able to access everything the RMS can access, including internal API, other infrastructure etc. By exploiting this vulnerability, it is possible for attackers to access internal infrastructure used by Teltonika. This vulnerability stems from the Device VPN Hub feature of the RMS platform, a shared VPN hub allowing cross-device communication. This feature allows users to set up a private VPN connection over Teltonika's infrastructure to create some kind of a local network over the cloud between Teltonika routers and remote devices," says Claroty.
The research results from collaborating with OTORIO, joining forces for disclosure and resolving significant issues in the affected product lines.
"Teltonika Networks mitigated the vulnerabilities in coordination with CISA, which published an advisory," concludes Claroty.