While industrial VPN gateways such as Cosy+ play a crucial role in enabling secure remote access to critical operational technology (OT) systems, these devices have become lucrative targets for threat actors due to their importance and architectural vulnerabilities within industrial environments.
Researchers uncovered several vulnerabilities in the Cosy+ that could allow attackers significant control over the device and connected industrial infrastructure. They also presented their findings at the recent DEF CON 32.
Hacking Ewon Cosy+ Devices To Obtain Root Access
The researchers from German cybersecurity firm SySS GmbH focused on finding vulnerabilities that allowed them to learn more about the Cosy+’s functionality, as the device’s encrypted firmware and hardware security measures posed a steep initial challenge. Their persistence paid off when they discovered a simple OS command injection vulnerability in the way Cosy+ handled user-provided OpenVPN configurations.
By carefully crafting the OpenVPN configuration, the researchers were able to bypass the vendor’s filter mechanisms and execute arbitrary commands on the device, ultimately obtaining root-level access. This access allowed them to deploy their own persistent SSH service, providing them a reliable method of accessing the Cosy+ remotely.
The Cosy+ is touted as a secure hardware security module (HSM) that protects sensitive data and cryptographic functions. However, the analysis exposed that the communication between the device’s main processor and HSM was not properly secured.
The researchers were able to reverse-engineer the decryption process, allowing them to access the sensitive information stored within the HSM. They also investigated the encryption used to protect the Cosy+’s firmware updates and configuration files. Despite the security perimeters in place, the researchers were able to bypass the encryption and access the plaintext contents, including passwords and other sensitive information.
By combining the vulnerabilities such as OS command injection and Cross-Site Scripting (XSS) they were able to devise an exploit chain that would allow an unauthenticated attacker to gain root access to the Cosy+ and potentially hijack remote access sessions, posing significant security risks to the device’s users and the connected industrial infrastructure.
Responsible Disclosure and Vendor Response
The researchers responsibly disclosed their findings to HMS Industrial Networks, the vendor who develops the Ewon Cosy+. The vendor acknowledged the issues and has since worked to address them in subsequent firmware updates.
However, the widespread use of the Cosy+ in critical industrial environments poses an additional challenge and consideration for thorough security assessments and the need for vendors of similar scale to prioritize the security of their products.