Industrial Hardware Hacking with Flipper Zero
Marcel Rick-Cen 
Bypass vendor restrictions and access the underlying Linux operating system using the hardware interfaces of a Flipper Zero
Let's explore how to bypass vendor restrictions and access the underlying Linux operating system of a Moxa NPort W2150A ICS/OT communication server, provided you have physical access. By employing the right tools, you can attain root shell access and reveal plaintext credentials.
Moxa NPort W2150A in Normal Operation
Before we begin, let’s understand the device from an end user’s perspective. Typically, users interact with the device over the network via Telnet and a web server. While they can configure the device through these interfaces, accessing the underlying operating system is usually restricted. However, with physical access to the PCB, we can obtain a root shell, revealing a whole new level of control.
Initial Exploration
We start by removing the cover of the device, exposing the Printed Circuit Board (PCB). Among the components, we find a group of unlabeled pins. Using a multimeter, we identify the ground pin, a crucial step for subsequent actions. Carefully measuring the voltage of the remaining pins provides valuable insights into their functions.
Analysis and Identification
Connecting a logic analyzer to the pins, we record and analyze the electrical signals. Through careful observation, we discern a pattern indicative of the device’s communication protocol: UART. Leveraging filpper zero, we select GPIO from the menu and utilize the UART bridge to establish a connection between the device and our terminal emulator.
Gaining Access
With everything set up, we power on the device and receive a printout of the bootloader over UART. Soon after, we’re greeted with a root shell, granting us complete control over the device. Checking our privileges with the “whoami” command confirms our status as root, effectively owning the device.
Finding Vulnerabilities
Exploring the device’s filesystem, we uncover configuration files containing plaintext passwords for default users. These vulnerabilities, such as using “syslog” as the password for both system admin and user accounts, pose significant security risks.
Mitigation Strategies
Firmware Update: If you’re still operating Firmware version 1.2, it’s imperative to upgrade immediately to the latest version available. This update addresses known vulnerabilities and enhances the device’s security features.
Network Security: Ensure that only trusted connections are allowed to access the device, minimizing the risk of unauthorized access and potential exploitation.
Limit Physical Access: While our hack required physical access to the device, it’s essential to limit such access to prevent unauthorized tampering. Implementing stringent access controls can mitigate the risk of physical attacks.
Responsible disclosure
Surprisingly, these credentials provided access to both the Telnet interface and the web server, possibly granting unauthorized access to the device configuration. Notably, these credentials diverged from the documented default credentials of “admin:moxa” or “moxa:moxa,” indicating a potential oversight in the device’s security protocols.
I reached out to the Moxa Product Security and Incident Response Team for clarification and resolution. However, their response merely stated: “It is believed that these vulnerabilities had been resolved in later firmwarenversion long time ago”.
Conclusion
The hardware hack on the Moxa NPort W2150A communication server underscores the importance of proactive cybersecurity measures in industrial environments. By understanding the vulnerabilities inherent in such devices and adopting appropriate mitigation strategies, organizations can safeguard their infrastructure against potential threats.
Categories: : Hardware Security, Pentesting
