OTD144 Device security

Introduction

This article provides details about security features and recommendations used for OTD144 products and how to properly implement it ensuring cyber-security best practices.

Security Guidelines

Listed below are general security recommendations and hardening techniques. These should be applied not only to Teltonika Networks products, but to all internet-facing devices to ensure the best possible security posture and resilience to cyber-attacks.

Guideline Categories

General Security Best Practices
Device Hardening Recommendations
Secure Operation & Maintenance

General Security Guidelines

Recommendation	Priority	Details	Mitigation
Keep Firmware Updated	Critical	Always run the latest stable firmware. Firmware updates contain critical vulnerability patches.	Prevents exploitation of known vulnerabilities fixed in newer firmware versions.
Use Complex Passwords	Critical	Use complex passwords. At the least password should contain minimum 12 characters and include numbers, symbols, capital and lowercase letters. Avoid using common words.	Protects against common password attacks such as brute-force attacks.
Enforce HTTPS and SSH	Critical	Only use secure protocols (*HTTPS, SSH*). Avoid the usage of HTTP, Telnet and other insecure protocols where available.	Prevents interception of network traffic.
Install Only Trusted Packages	Critical	Only install packages from verified and trusted sources. To ensure integrity, Teltonika Networks digitally signs all its firmware and packages.	Prevents execution of malicious or tampered software and supply-chain attacks.
Disable Unused Services	Critical	Turn off unused interfaces like Web CLI, WiFi, SMS utilities, etc., to reduce the attack surface.	Reduces attack surface by minimizing potential entry points.
Use WPA3 WiFi	High	WPA2 is still considered secure. However WPA3 introduces features that provide better support for IoT device security.	Provides stronger wireless security. WPA3 mitigates offline bruteforce attacks.
Assign Minimum Necessary Permissions	High	Make sure to provide the least amount of required permissions for any additionally created user account.	Limits impact of compromised accounts and prevents privilege escalation.
Use Key-Based SSH Authentication	High	If possible, use public/private key pair SSH authentication instead of password-based SSH logins.	Provides stronger authentication than passwords, which can be stolen or guessed.
Regularly Review SIM Usage	Medium	Monitor and limit SIM card SMS/data use. Disable SMS management if not in use.	Helps detect abnormal activity and potential system compromise early.

Security Hardening Recommendations

Recommendation	Priority	Details	Mitigation
Limit Administrative Access	Critical	Do not expose WebUI or SSH to the public internet. Use a VPN or allowlist IPs if remote access is needed.	Reduce attack surface. Using secure communication channels like VPNs provides a stronger security posture for remote system access.
Use a VPN for Remote Access	Critical	Use IPsec, OpenVPN, WireGuard or other reliable VPN service for remote access. Never expose management interfaces directly.	VPNs encrypt data in transit, preventing malicious actors from intercepting communications.
Apply IP Whitelisting	Critical	Restrict access to remote services based on specific IP addresses using a firewall.	Restricting access for management interfaces avoids overexposing to the internet, mitigating accidental management interface discoveries and attacks.
Do Not Rely on Obscure Ports Alone	High	Avoid using non-standard ports as a primary defense. Use in conjunction with firewall rules.	Obscure ports provide limited protection; firewall-based controls (such as IP whitelisting) offer more reliable security.
Disable WiFi if Not Needed	High	Disable WiFi entirely or reduce transmission power if wireless access is unnecessary.	Reduces the overall attack surface by removing unused wireless entry points.
Use Secure Firmware Validation	High	Teltonika Networks firmware is digitally signed and authorized for security. Additionally only apply firmware with verified SHA-256 hashes. Avoid MD5/SHA-1.	Ensures firmware authenticity and prevents installation of tampered or malicious software.
Disable SMS/Call Utilities by Default	Medium	Disable SMS command features unless explicitly required. Use phone number whitelists and log all commands. Authentication is available via administrative password, custom password or device serial number.	Reduces the overall attack surface by removing SMS as an interface for commands.

Secure Operation & Maintenance

Recommendation	Priority	Details	Mitigation
Continuous Access Monitoring	Critical	Regularly monitor login attempts and access logs. Enable Event Juggler alerts for critical changes.	Helps detect early signs of compromise or unauthorized system changes.
Review and Audit Firewall Rules	Critical	Keep firewall rules up to date. Remove unused or overly permissive rules.	Improper or outdated firewall rules can weaken security or disrupt legitimate traffic handling.
Rotate Passwords & SSH Keys Periodically	High	Rotate credentials and SSH keys at regular intervals. Immediately revoke compromised credentials.	Reduces the risk posed by leaked, reused, or long-lived credentials.
Audit Protocols and Services	High	Ensure only secure protocols are used. Disable legacy or insecure options (*e.g., FTP, Telnet*).	Minimizes exposure to known vulnerabilities associated with outdated protocols.
Conduct Periodic WiFi Audits	Medium	Reassess SSIDs, encryption methods, and user access permissions periodically.	Ensures wireless security controls remain effective and properly configured.
Verify Backups Securely	Medium	Encrypt backups. Use SHA-256/SHA-512 hashes to validate backups before restoring them. Store securely.	Enables reliable recovery from data loss events, including ransomware or system failures.

OTD144 security features

In the table below you can find all the security features supported by Teltonika's OTD144 device.


Category	Feature	Default	Purpose/Description
DDoS Protection	SYN Attack Protection	On	Blocks excessive SYN requests to prevent resource exhaustion.
	Ping Attack Protection	Off	Mitigates ICMP (Ping) flood attacks.
	SSH Attack Prevention	Off	Blocks excessive SSH requests.
	HTTP Attack Prevention	Off	Blocks excessive HTTP requests.
	HTTPS Attack Prevention	Off	Blocks excessive HTTPS requests.
Custom Configuration	Custom Rules	Empty	Allows adding custom firewall rules via iptables commands.
Custom Configuration	DMZ	Off	Allows separating LAN-side network into separate zones with heavily restricted access.
Port Scan & TCP Attack Protection	Port Scan Prevention	Off	Detects and blocks port scanning attempts.
	SYN-FIN Attack	Off	Blocks packets with both SYN and FIN flags set.
	SYN-RST Attack	Off	Prevents abrupt TCP session resets.
	X-Mas Attack	Off	Blocks TCP packets with multiple unusual flags set.
	FIN Scan	Off	Blocks FIN packets used to bypass firewalls.
	NULL Flags Attack	Off	Blocks TCP packets with no flags set.
Access Control – Remote	SSH Access	Off	Disabled by default; use only with strong passwords.
	HTTP Access	Off	Disabled by default; use only with strong passwords.
	HTTPS Access	Off	Disabled by default; use only with strong passwords.
	CLI Access	Off	Disabled by default; use only with strong passwords.
Access Control – Local	SSH Access	On	Allows local configuration over LAN.
	HTTP Access	On	Allows local WebUI configuration over LAN.
	HTTPS Access	On	Allows local WebUI configuration over LAN.
	CLI Access	On	Allows local command-line configuration over LAN.
Login Protection	SSH Login Attempts	On	Blocks IP after 10 failed attempts (default).
Login Protection	WebUI Login Attempts	On	Blocks IP after 10 failed attempts (default).
Configuration Security	SMS Utilities	Admin password	SMS commands require admin password.
Configuration Security	Default Admin Password	On	Default password is present on the device label.
Certificates	Root CA	Preloaded	Default root certificate included; can be replaced.
Other Protections	UPnP	Not installed / Off	Disabled to prevent unauthorized port forwarding.
Other Protections	UART Interface	Admin password	Requires password to prevent unauthorized physical access.

Secure disposal guidelines

When decommissioning a device, it is essential to ensure that all sensitive data is securely erased. Follow this guide to properly reset and decommission your device:

Remove the product - Remove the product from its working environment: disconnect all cables, unscrew device if it is attached to a surface, remove from enclosure.
Back Up Important Data - Before starting the decommissioning, back up any important configurations or data that may be needed in the future.
Reset the Device to Factory Settings - Follow the model specific instructions for a factory reset available here.
NOTE: This reset will erase all configurations, RMS data, logs, and the PIN code, restoring the device to its original factory settings.
Verify the Reset - Once the reset is complete, log into the device using the default login credentials to verify that the device has been successfully reset. Check that all settings have reverted to their factory defaults and that no old configurations or data remain.
Handle Physical Storage Media – If the device includes removable storage such as USB flash drives, SD cards etc. that also needs to be disposed of ensure they are securely wiped using certified data erasure tools or physically destroyed in accordance with data protection regulations.
Chain of Custody - If devices are sent to third parties for disposal, maintain a clear chain of custody.

Defense in Depth

Defense in Depth (DiD) is a layered security strategy that combines multiple controls across various levels - application, network, physical, and operational - to protect systems and data. It ensures that even if one control fails, others remain in place to mitigate threats. A comprehensive DiD approach includes access controls, network segmentation, regular updates, attack prevention systems, and user education, forming a resilient security posture.

Security Capabilities and Defense-in-Depth Strategy

Application layer:

Authentication and Authorization - Ensures only authorized users can access devices administration and programming interfaces. Prevents unauthorized individuals from accessing secured systems.
Access control mechanism - prevents unauthorized access to the devices configurations and protects sensitive information. Ensures that configuration files and other critical areas are accessible only to authorized users.

Network layer:

NAC (Network Access Control) - Restricts network access to authorized and compliant devices based on predefined policies. Useful for enforcing posture checks and limiting lateral movement.
Network encryption - Utilizes encryption mechanisms for wireless communication and IPsec. Encrypting network traffic prevents malicious actors from intercepting ongoing communications.
Network Firewall - Firewalls control ingress and egress network traffic based on predetermined security rules to prevent unauthorized access and traffic.
Network Segmentation - Divides the network into smaller, isolated segments. Reduces the attack surface by isolating critical systems.
VPN (Virtual Private Networks) - Encrypts data transmitted over the network and ensures secure communication channel for remote access.
Network Failover System - Ensures continued network availability in the event of hardware, link, or service failure.
Attack prevention - Mitigates the risks of most common network layer attacks (e.g.: DoS, SYN Flood).

Defense-in-Depth recommendations

The following defense in depth measures are recommended:

Network Segmentation - Segment network to isolate different types of traffic and devices. Allows to limit the damage in case of device compromise.
Secure Access Controls - Utilize strong authentication and authorization mechanisms to control access to the network and devices. Prevents unauthorized individuals from reaching internal systems.
Regular Software Updates - Keep all software and firmware up to date to protect against known vulnerabilities.
Change Default Configuration - Change default usernames, passwords, and settings on the device. Default credentials can sometimes be found on public resources thus changing them is critical for security.
Disable Unused Services - Turn off unused services and ports on the device to reduce the attack surface.
Enable Security Features - Enable built-in and configurable security features such as SYN flood protection, HTTP attack mitigation, port scan detection, and rate-limiting. Provides strong protection against some cyber-security attacks.
Physical Security - Restrict physical access to the device and other critical network hardware to authorized personnel only. Prevents potential tampering from unauthorized or malicious individuals.

RutOS Declaration of Software security

Penetration Testing is one of the most cost effective tools to detect, analyze and make informed decisions about how to fix vulnerabilities and misconfigurations in business applications, IT, mobile and Wi-Fi infrastructures. Pen Test Partners use a variety of Penetration Testing approaches and techniques so that manufacturers can see their business as an attacker would, avoiding costly breaches and achieving compliance by discovering and evaluating risk.

Teltonika’s RutOS firmware "RUT**_R_00.07.11.2" was tested by Pen Test Partners and after a thorough review, it was deemed that our firmware is not susceptible to any immediate outside threats.

We are proud to have achieved this rating and will continue to improve the security of our products.

The aforementioned security changes are available from firmware version RUT**_R_00.07.11.2.

" ** "stands for the specific model, the difference in models is only seen from a hardware and functionality standpoint.

You can find the newest firmware version for each device here

Attachments

You can the find PDF version of the declaration here.