The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) put out an advisory regarding the Sierra Wireless AirLink Raven X EV-DO application by Sierra Wireless amid reports that the gateway, used for industrial applications, is vulnerable. The vulnerability stems from a lack of encryption during update and reprogramming processes, and affects versions V4221_4.0.11.003 and V4228_4.0.11.003.
ICS-CERT says that multiple vulnerabilities, identified by a researcher at Cimation, allow for remote reprogramming of the firmware, and the ability for an attacker to affect functionality and operation of the application -- including complete system shutdown.
Impacted, in particular, are energy and transportation in the US, Canada, and Europe. Sierra Wireless is the top provider of the cellular machine-to-machine embedded module market, with approximately 1.4 billion devices.
The company is recommending that customers upgrade to its GX400, GX440, or LS300 devices. So far, firmware, tools, and utility downloads are still available, but the company has discontinued the AirLink Raven X EV-DO.
To monitor ICS-CERT vulnerabilities via ICS-CERT advisories, click here.