N-Tron 702W Hard-Coded SSH and HTTPS Encryption Keys (Update A)

Act Now10ICS-CERT ICSA-15-160-01AMar 12, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The N-Tron 702W Industrial Wireless Access Point contains hard-coded SSH and HTTPS encryption keys in all versions. These keys are not unique per device and cannot be changed. An attacker with network access to the device can use the embedded keys to decrypt encrypted management sessions, bypass authentication, or impersonate the access point. This affects all versions of the 702W and no firmware update is available.

What this means

What could happen

An attacker with network access to the wireless access point could intercept encrypted communications or authenticate as an administrator, potentially gaining full control of network traffic and configuration on the wireless network.

Who's at risk

Manufacturing facilities using N-Tron 702W industrial wireless access points for plant floor communications, particularly those connected to corporate networks or accessible from engineering workstations.

How it could be exploited

An attacker on the network sends an SSH or HTTPS request to the N-Tron 702W access point. The device uses a hard-coded encryption key embedded in all units, allowing the attacker to decrypt the connection, forge authentication, or impersonate the device in encrypted sessions.

Prerequisites

Network access to the N-Tron 702W on port 22 (SSH) or port 443 (HTTPS)
Knowledge of the hard-coded encryption keys (publicly disclosed or reverse-engineered from firmware)

remotely exploitableno authentication requiredlow complexityno patch availablehard-coded credentials

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

N-Tron 702-W Industrial Wireless Access Point: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate the N-Tron 702W access point behind a firewall; restrict SSH and HTTPS access to trusted engineering workstations only

WORKAROUNDDisable SSH and HTTPS management access if not required for operations; use an out-of-band management network if remote management is needed

HARDENINGImplement network segmentation to prevent untrusted clients from reaching the wireless access point management interface

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor SSH and HTTPS access logs to the device for unauthorized connection attempts

CVEs (1)

CVE-2012-4716

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e1c0c52c-4e27-4551-8c5c-7c329a143b30