Should devices automatically execute code from a removable thumb drive? Now, you may think the answer is clearly no. That’s the standard for all modern electronics, after all. But imagine the following:
You’re a manufacturer of an energy IoT or an OT device. The device has no display support, no keyboard support, and only serial output for logs. The user has misconfigured the device into an unusable state (imagine disabling SSH via a remote session), or maybe a bug bricked it. The said device is deployed on an oil rig in the middle of the ocean, only accessible by helicopter once a week. You can see why that manufacturer could be tempted to answer the question differently.
That is, of course, an extreme example, but it clearly demonstrates why OT vendors implement such mechanisms more often than consumer electronics.
Don’t let my devil's-advocating skills mislead you too quickly, however! Not all deployments are as isolated as an oil rig, while still being high-value targets. Such is the case for the vulnerability we’ve discovered in the FIMER VSN700 Data Logger. Built to sample data from distributed energy resources, such as solar inverters and battery energy storage systems (BESS), it can provide plenty of access from an attacker's perspective, while also being deployed in the field.
The discovered vulnerability allows anyone with physical access to the device to execute a script with root privileges, unauthenticated.
Physical Security Illusion
It’s common to say that once an attacker gains physical access, it is game over. We all, however, hopefully, have some form of authentication on our phones and laptops. Their storage - encrypted. The servers in our data centers? Locked away behind fairly high security. So why should our energy infrastructure bend to the will of any passerby?
It has already been demonstrated over and over that state actors are trying to target energy infrastructure. Yet all it takes is a data logger mounted to the side of a building, or on the edge of a remote solar farm.
The Anatomy of The Exploit
The vulnerability allows an attacker to run arbitrary code with root privileges, given access to the USB port. After a reset or power cycle, the data logger will look for a file named upgrade in a connected USB storage device. If the file is found, it will be executed immediately with root privileges.
The system service defined in the file S11usb_upgrade, which starts on device startup, looks for block devices /dev/sda1 and /dev/sda (usb flash drive). If available, it will attempt to mount a vfat filesystem from said device, and execute a file named upgrade as a shell script.
It is worth noting that the script will run with root privileges, without being validated (signed cryptographically), and no authentication is required.
We validated the vulnerability using qemu, and it can be reproduced simply by the following steps:
- Format a thumb drive to vfat (we used a single partition, but theoretically it should work with no partitioning as well).
- Create a file named
upgradein the thumb drive’s root directory. - The contents of the file should be something along the lines of:
#!/bin/sh
echo '################'
echo ‘Script was executed.’
echo `whoami`
echo '################'- Plug the thumb drive into the device.
- Reset or power cycle the device.
- The message should be printed to the serial output, including the username
root.
Secure Your Energy IoT Assets
You can’t secure what you can’t see - and you certainly can’t defend against threats you don’t recognize.
While SaiFlow cannot physically secure your USB ports, it can continuously monitor your network for rogue devices and suspicious activity, providing real-time visibility into these types of threats. In scenarios like the one described above, an attacker’s objective is typically to issue malicious commands, move laterally across the network, or manipulate logged data to cover their tracks. SaiFlow helps you detect all of the above - alerting in real time to abnormal commands sent to critical assets like inverters, and identifying inconsistencies or tampering in your data.
SaiFlow’s Energy Runtime Security Platform delivers comprehensive visibility across energy IoT devices and sites, combined with real-time detection powered by deep domain context - so you not only see what’s happening, but understand what should and shouldn’t happen across your environments.