Sierra Wireless Airlink

The Sierra Wireless Airlink series of GPRS routers are used to put devices online via the cellular network. They are used in many industrial applications where traditional ethernet or wifi is not an option. There have been several disclosures concerning cross site request forgery and other vulnerabilities involving the ACEManager server running on the Airlink Raven XE and XT devices, which runs on port 9191. This is the configuration menu for the router itself. Even in the wake of Mirai, the application of patches by users is sluggish at best. While there are measures being taken to address these vulnerabilities [1] [2], there is still the issue of the telnet service that is used to manage the router itself. Facing the internet is the AirLink AT Command Interpreter, found on port 2332. AT Commands are the low level commands used to program modems. For cellular modems, much of the syntax is the same for basic commands (AT&V, AT+CIMI? etc), with many vendor specific commands being implemented based on the device type and application. The Sierra Wireless modem has some basic commands for network configuration, and communicating with it is laid out in the wide array of user documentation available online. Verizon Manual Here are some AT commands for interacting with the Airlink Raven XE and related devices. --- Commands ---------------------------------------------------------------//-- Administrative Commands +------------------------+-----------------------------------------------------+ | AT | Confirm Connection - Should return "OK" | | ATI1 | FW Version, HW ID, Copyright. 0,2,3 also options. | | AT+HWTEMP? | Hardware Temperature | | AT*DEVICEID | Get Device ID | | AT*MODEMNAME=modemname | Set or query Modem Name | | ATE1 | Toggle Echo 1 ON 0 OFF | | ATA/ | Execute Last Command | | ATZ | Resets Modem | | AT+++ | Escape Sequence | | AT&W | Save changes | | AT&V | View Contents of Registers / Active Profile | | AT\ACEPW=[password] | Set new password | +------------------------+-----------------------------------------------------+ Power +------------------------+-----------------------------------------------------+ | ATVLTG[=n] | Query/set voltage levels to trigger low power mode | | AT*POWERMODE? | Display current power state/mode | +------------------------+-----------------------------------------------------+ Cellular Commands +------------------------+-----------------------------------------------------+ | AT+RCIQ? | Current Cell Information | | ATS202? | Get RSSI in dBm | | AT+COPS? | Network Operator | | AT*NETIP? | Current IP Address | | AT*NETPHONE? | Get Device Phone Number if Applicable | | AT+CIMI? | IMSI | | AT+ICCID? | Get full SIM ID | | AT*PPIP | Get the IP that the modem sends reports to. | | AT*SMSM2M="1num msg" | Send text (msg) to 1NPANXXYYYY (1num) | +------------------------+-----------------------------------------------------+ Network Commands +------------------------+-----------------------------------------------------+ | AT*NETSTATE? | Get State of device network connection | | AT*DNS1 | DNS Resolver 1 | | AT*DNS2 | DNS Resolver 2 | | atnslookup=[fqdn] | Return Domain IP | | atnslookup=[ipaddr] | Return IP domain | | ATPINGx.x.x.x,n | Ping IP or Domain, n is number of bytes. default=50 | | AT*DBGIPLVL=n | Set logging, 0 None | 1 Errors | 2 All | +------------------------+-----------------------------------------------------+ GPS Commands +------------------------+-----------------------------------------------------+ | ATGPS | Report NMEA GGA, RMC, VTG GPS Strings one time. | | ATGPS1 | Report once per second until ATGPS or reset | | AT*PPIP=[ipaddr] | Server where GPS Reports are sent | +------------------------+-----------------------------------------------------+ A quick way to get information on the unit you are connected to is the good old AT&V, which will dump pretty much everything about the device, including contents of it's registers storing some user data, DNS info, GPS coordinates, IMSI, and a slew of other interesting nuggets. Some of the most interesting commands in this set involve the reporting of the GPS coordinates to a host. The ATGPS1 command will report all available GPS data (in a variety of formats) once per second to the host defined by AT*PPIP until given the command to stop, or until device reset. The AT*PPIP= command allows someone to redefine the host that will receive this data. This wouldn't be a big deal, if not for the tens of thousands of these units that are accessible via telnet with the default pass of 12345. Given even more devices similar to the Raven XE and XT, there could potentially be a DDoS attack vector using the endless streams of GPS data similar to the chargen based attacks of yore. Similarly, the ping command could be utilized, but an attacker would need to continuously send the ATA/ command and maintain an active socket. The most troubling command (in my opinion) is AT*DNS1. With this command, an attacker could hijack the DNS of any of these modems, and reroute traffic to a malicious server. Since most of these are connected to industrial control systems of some kind, this attack could lead to devastating consequences. A quick Shodan search of port 2332 reveals over 67,000 results connected to Sierra Wireless devices. A more refined search, including the term "password" reveals strictly the AirLink AT Command Interpreter interface with the default configuration of "no username" and simply a password to log in (about 22,000 results.) AirLink AT Command Interpreter Password: Further scanning on the specific IP ranges that carriers allocate to cellular modems reveals even more devices. On some devices with SMS enabled SIM cards, there is also the option to send an SMS message using the following command: AT*SMSM2M="1NPANXXXXX this is a test" With 1 being the country code for US and Canada, NPA being the area code, NXX being the exchange, and XXXX as the last four digits of the number. What Now? Just as with any IoT devices, it's of the utmost importance that the user make themselves aware of the kinds of network services their devices have open, and to disable any services that they do not use. It is also critically important to patch regularly, and change any and all default passwords, even if you don't plan to use the service in the future.