The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App transmit sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors

Vulnerability

The Auto-Maskin DCU-210E, RP-210E, and Marine Pro Observer Android App transmit process control information via unencrypted Modbus communications [1], [2]. This cleartext transmission of sensitive data (CWE-319) affects versions prior to 3.7 on ARMv7 [1]. The vulnerability allows any actor who can sniff network traffic to observe details about device configurations, settings, and sensor presence [2].

Exploitation

A remote attacker with network access to the device's Modbus communication channel can passively sniff the unencrypted traffic [1]. No authentication or user interaction is required, and the attack is remotely exploitable with low skill level [1]. The attacker simply needs to be in a position to capture network packets on the same network segment as the targeted unit [2].

Impact

Successful exploitation enables an attacker to gather intelligence about the device's configuration, settings, and which sensors are present and in use [2]. This information can be used to craft spoofed Modbus messages, potentially leading to arbitrary control of connected engine control units [2]. The required network access and passive nature of the sniffing limits direct impact, but the informational disclosure aids further attacks.

Mitigation

As of the last advisory update (CISA, February 2020), a firmware update to version 3.7 or later may address the issue, but the available references do not explicitly confirm a fix [1], [2]. Critical devices should be isolated on private, carefully secured networks and not exposed to untrusted networks [2]. If no patch is applied, network segmentation and strict access control are the primary mitigations.