Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) alerted enterprises about potentially critical vulnerabilities in ipDIO telecontrol communication devices that the vendor no longer supports. Germany-based IPCOMM’s ipDIO is a device that records analog and digital inputs from switches, counters, sensors, and other devices, and it supports multiple industrial protocols. CISA disclosed that the gadget is employed by organizations worldwide.
In August 2021, Aarón Flecha Menéndez, an ICS security expert at S21sec in Spain, told IPCOMM via CISA that the ipDIO product is vulnerable to four flaws, including two high-severity code injection vulnerabilities and two medium-severity persistent cross-site scripting (XSS) weaknesses. According to the researcher, exploiting the flaws might allow a remote attacker to gain total control of the device and inflict havoc. On the other hand, exploitation necessitates user involvement (for example, accessing particular areas of the web-based management interface) and, in certain situations, web interface access.
Furthermore, the researcher stated that he did not attempt to perform searches using more complex techniques after failing to find any internet-exposed devices using simple searchers (Shodan, ZoomEye, FOFA, etc.). The ipDIO product is no longer supported and no longer receives updates. Customers are encouraged to update to the ip4Cloud device, the successor to the ipDIO. IPCOMM stated that the advisory’s issuance was coordinated with CISA, giving some broad guidelines for countering future attacks.
The seller stated it couldn’t say how many consumers still use the EOL gadget. However, the researcher believes it’s still used in the energy sector, notably among European electricity distributors. According to Flecha Menéndez, “we are often uninformed of where the devices are deployed and the infrastructures that employ them,” based on his experience with this and other devices for which he has revealed vulnerabilities.