Wi-Fi connectivity is increasingly pervasive. Many organizations have embraced Wi-Fi as a primary means of connecting to network applications and resources. It is significantly cheaper and more convenient than having to run ethernet cable throughout the office. It is also a more feasible option today than it once was because wireless technology has evolved to the point that Wi-Fi speeds today rival or exceed what was possible with wired connections not too long ago. Of course, the benefits of Wi-Fi connectivity also come with some unique security challenges—like the issues recently discovered by Ruben Santamarta, a principal security consultant at IOActive, that allowed him to gain root access to Sierra Wireless AirLink devices.
As a hacker and security researcher, Ruben likes to look a little closer before he chooses to buy a new device. When he was in the market for new Wi-Fi equipment, he chose Sierra Wireless AirLink because the brand is reliable and he appreciate the fact that Talos did a solid job of identifying flaws a couple years ago—so he assumed the equipment should be relatively secure. He still wanted to check it out for himself, though—so he downloaded the firmware from the Sierra Wireless website.
Analyzing the Firmware
In a blog post about his research with the Sierra Wireless AirLink devices, Ruben explains that he was able to unpack the firmware and display a list of files. He found that the important files were encrypted—as you should expect. There was only one clean binary file available (swinstaller) and using that allowed him to uncover relevant details about the others.
Next, he needed to determine what encryption algorithm was used. Digging through the binary revealed strings that clearly indicated lybtomcrypt as the encryption library. He found that Sierra Wireless is using AES CTR and does not appear to have a hardcoded key or IV (initialization vector), which suggested to him that there must be some logic used to generate them at runtime. Ultimately, Ruben was able to find the values needed to derive the IV and the key, and the process used for deriving them—which enabled him to decrypt the firmware files.
Escalation to Root
Thanks to the efforts of Talos mentioned earlier, there were no obvious or critical bugs in the main web interface. Ruben decided to focus elsewhere and took a look at the ALEOS Application Framework (AAF). AAF provides an integrated development environment for developers, OEMs, and system integrators to develop mobile-to-mobile (M2M) applications. The embedded applications reside inside the gateway for seamless integration.
AAF is a main feature—but it is not enabled by default. AAF is only available if it has been enabled by an administrator on the device. The system functions based on least user access (LUA), and Ruben noticed that enabling AAF initiates a custom LUA RPC scheduler. He determined that the RPC deserializes arbitrary functions and arguments—which may be attacker controllable. A malicious actor can exploit this and elevate privilege to the “rauser” account. Using a classic command injection, however, Ruben was able to escalate privileges and obtain root access on the device.
Protecting Sierra Wireless AirLink Devices
The chain of exploits he used can be executed from an adjacent network—enabling an attacker to gain root access without requiring any authentication on a Sierra Wireless AirLink device that has AAF enabled. Again, though, AAF is not enabled by default, so the attack is mitigated in many cases.
IOActive notified Sierra Wireless of their findings and they issued the following advisories:
Sierra Wireless thanks IOActive for the responsible disclosure of these vulnerabilities.
In current versions of ALEOS, the RPC server is enabled only when the AAF user password is defined.
Sierra Wireless recommends that customers enable the AAF user only for devices that are being used for AAF development and debugging. The AAF user is not required for AAF applications to be deployed and run.
Deployed devices must not have the AAF user password enabled.
Sierra Wireless recommends upgrading to the latest ALEOS version for your gateway. For devices running ALEOS 4.13 today, Sierra Wireless recommends upgrading to ALEOS 4.14.0 once it is available.
For more information see our advisory at https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin—swi-psa-2020-005/