Industrial automation devices made by Moxa have been found to be vulnerable to a JavaScript inject, allowing for control over settings.
Multiple vulnerabilities have been found in Moxa industrial automation devices that could allow an authenticated user to inject JavaScript, thus being able to modify the settings and send bad instrumentation commands to the device. The authentication can be easily bypass because of the weak password policies and their implementation.
How can a hack like this be avoided?
“Sadly, most software will have flaws or vulnerabilities, what’s important for the public or users of that software or hardware is how quickly patches and fixes are created and made available for the end user to apply.
“This usually requires the user to download the patch and apply that to their environment thus fixing that vulnerability.
“The problems of course may be making everyone that is affected by the problem aware of the initial problem and that there is a fix available.”
What effect could that have on automation systems in industrial settings?
“Most of the flaws we see in the automation industry are proof of concept, it usually involves a specific environment to be in place but the impact could in some cases be catastrophic,
“Automation often involves heavy equipment doing precision work and if it fails could cause thousands of pounds of damage, if that equipment was to go wrong around or close to humans then there is always the potential of injury or even death.”
What can organisations do to prevent such an attack?
“It’s virtually impossible to have any software driven machinery that is 100% secure, the very nature of software dictates that’s there is always the possibility of someone somewhere finding a way to do something that was not intended to be done.
“What’s important is how quickly its fixed, as more and more automation takes place it’s important to ensure the security is taken very seriously.
“Isolating systems and ensuring only physical access is required to update and maintain systems will keep the attack footprint down.”
Script-based attacks are on the rise and with Version 10 we have introduced Script-Based Attack Protection.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.