Date of Issue: May 2, 2019

Applicable Products:

AirLink® LS300, GX400, GX/ES440, GX/ES450, RV50, RV50X, MP70, MP70E, LX60 and LX40 gateways and routers that:
• Are directly reachable from the public internet, and
• Have SSH reachable over the WAN

Summary

The Sierra Wireless security team has received reports of AirLink devices with SSH remote access enabled acting as proxy servers for external parties. Further investigation of reported devices show that attackers are using compromised usernames and passwords to gain authenticated access to SSH and use the service as a proxy.

Known impacts of this attack are:
• Affected devices are proxying external data, and as such, may incur higher data rates.
• External parties may be able to access ACEmanager and local LAN services, even if remote ACEmanager is not enabled.
All affected customers are advised to take immediate action as detailed in this bulletin.

Recommended Actions:

Sierra Wireless advises customers to follow the recommended actions outlined below. If you require assistance performing these actions or have routers that are exhibiting suspicious behavior, please contact USAT Corp.

  1. If SSH remote access is not required, disable remote access:
    a. In ACEmanager, navigate to Services > Telnet/SSH
    b. Set ‘Telnet/SSH Access Policy’ to ‘LAN’ (default) or ‘Disabled’.
  2. If SSH remote access is required, change the user and sconsole password on all devices to a new secure value, even if the devices previously had a non-default password as the password may have been previously compromised.
    a. In ACEmanager, navigate to Admin > Change Password
    b. Select ‘user’ as the ‘Username’, enter a strong new password, and click ‘Change Password’
    c. Select ‘sconsole’ as the ‘Username’, enter a strong new password, and click ‘Change Password’

For Additional Details Contact USAT:

For all your M2M connectivity needs visit ExpressM2M a service of USAT

For consultation on your next M2M / IoT project contact a USAT Representative