Security Bulletin - 2023-001: Possibility to Replace Endpoint Operating System
2023-10-09 15:49:21
This notice is a response to the publication “Rooting the Cradlepoint IBR600” that was published in October 2023. Cradlepoint is aware of the issue and has determined that only with sufficient physical access to the endpoint it is possible to replace the endpoint’s NetCloud OS software in this manner. In the event the software is replaced, it is also possible to read certain configuration data stored locally in the endpoint’s file system. In this scenario, the endpoint would no longer connect to NetCloud Manager (NCM) and the attacker would not have any access to data stored in the customer’s NCM account.
Cradlepoint has assessed the risk to the customer as very low and confirmed the described process would work on older models along with the IBR600C including.
- AER1600 / AER1650
- AER2200
- AP22
- CBA550
- CBA850
- IBR200
- IBR600B / IBR650B
- IBR600C / IBR650C
- IBR900 / IBR950
- IBR1700
- R500-PLTE
Cradlepoint has always emphasized in our Security Best Practices the absolute necessity of physical security and this exploit is a prime example. It is important to physically secure endpoint hardware and to report lost or stolen Cradlepoint hardware immediately. The use of our cloud-based management platform (NCM) reduces the risk and increases the ability to minimize the impact of such an exploit because stolen endpoints can be remotely wiped (effectively disabling them) if they are connected from an unauthorized location. Our newer generation endpoints already include security enhancements that prevent this exploit, however that does not alleviate the need for physical security. With physical access, a sufficiently determined attacker can gain access to any product, whether Cradlepoint or another brand.