Industrial routers are widely used in factories, power stations, manufacturing automation,ATMs and other industries to provide connectivity between different parts of manufacturing infrastructures. In such crucial areas of use, security is very important, because the cost of experiencing a security flaw is usually high. Industrial routers, just like all other routers, support a lot of network connection protocols: HTTP server for configuration and diagnostics,SSH/Telnet, FTP, SNMP and others. Modern routers also feature cellular support, as their location could be at a remote site or in a vehicle (i.e. a locomotive). Additionally, many industrial routers support vendor-specific proprietary network protocols for solving special tasks. I’m sure everyone knows that vulnerabilities in such network services may allow potential malefactors to gain access to critical industrial networks. This is the reason the decision was taken to take a look at modern industrial routers from the information security perspective.
During the talk, I would like to highlight main reasons why the security of industrial routers is important. I would also like to show the security research of industrial routers using "Digi Wireless Routers" family as an example research target. These routers are managed by the custom proprietary operating system - Sarian OS. I will focus mostly on revealing the internal workings of the OS, including network protocol implementations, security features, and a video demonstration of vulnerabilities identified during the research.
None of the researchers have faced Sarian OS in the context of security or published results of the study. Therefore, the material is fresh, useful and interesting for the security community. This research contains all my way from getting the firmware of the router and analyzing it to finding complex vulnerabilities. I will describe all techniques and tools needed for conducting such research, and explain all technical details.