This afternoon the DHS ICS-CERT published an advisory for an insufficient entropy vulnerability in Moxa’s OnCell Gateways, cellular IP gateways. The vulnerability was reported by Nadia Heninger (UCSD) and Zakir Durumeric, Eric Wustrow, and J. Alex Halderman (UM) in a coordinated disclosure.
ICS-CERT reports that a highly skilled attacker could remotely exploit this vulnerability to gain unauthorized access to the system. Moxa has produced a firmware upgrade that mitigates the vulnerability, though there is no indication in the Advisory that anyone outside of Moxa has verified the efficacy of the upgrade. Actually Moxa released the upgrade in early April, 2013 and has been notifying their customers of the situation.
ICS-CERT provides their standard tactics for protecting control systems (avoiding internet exposure, locate devices behind firewalls, use VPNs for remote access etc). What is missing is any mention of dealing with cellular access, particularly important when the vulnerable system is used for connecting devices to a cellular network.