Feeds

Serial killer hack threat to gas pipes, traffic lights, power plants

'You could shut down the electricity grid' warns security biz

Beginner's guide to SSL certificates

Analysis Medical systems to traffic light boxes are apparently wide open to hackers thanks to a lack of authentication checks in equipment exposed to the internet.

That's according to research from security toolmaker Rapid7, which says it found plenty of essential electronics that can be freely remotely controlled via public-facing serial port servers.

These serial port servers, also known as terminal servers or serial-to-Ethernet converters, pipe data to and from a device's serial port over the internet. This allows workers to remotely control equipment - from sensors to factory robots - over the web or mobile phone network, which is handy when said machinery doesn't offer an Ethernet connection.

These serial port servers also pop up alongside systems that track vehicles and cargo containers, and can provide auxiliary access to network and power equipment in case of some disaster.

Serial port servers are about the size of a home internet router with one or more serial ports on one side and an Ethernet interface on the other; some products feature wireless or mobile network connectivity.

Typical serial to Ethernet converters

Your common or garden serial port server (Credit: Rapid7)

A serial cable is plugged in between the port server and the target device - such as a router, server or industrial control system - and the port server is configured to allow remote access to the device: a user can log into the server via telnet, SSH or a web interface. This could involve typing in a correct username and password to satisfy the port server before the connection is passed onto the equipment.

A good deal of serial-connected machines each assumes that if someone can talk to it via a serial cable then that person is an authorised employee with physical access and thus no security checks are needed: it will accept commands from anyone communicating via its serial port, and thus it trusts the port server.

That's why a port server should be configured to authenticate remote users, such as requiring a correct username and password combination, before handing over the reins to the sensitive equipment. If you can bypass or defeat the port server, the equipment is yours to control.

Some more paranoid machines require a valid username and password combination to be sent over the serial line, adding an extra level of security beyond the port server's defences. But, according to Rapid7, too many machines do not have even these minimal levels of security.

How it all falls apart

The equipment's serial port can also be exposed directly to the network by the Ethernet converter. In this mode, the port server acts as a TCP proxy and removes itself from the equation. Suddenly, the equipment is one step closer to a lurking miscreant.

This configuration allows vendor-specific software, running on a separate computer, to command the equipment over the network or internet via the port server using a proprietary protocol. The software may exchange cryptographic keys with the device to prove it is an authorised controller.

Generally speaking, network connections over TCP/IP typically timeout and die if they are left idle for too long. But connections over serial cables tend to stay active as long as the equipment remains powered up.

Thus, the researchers found that once a device - whose serial port is exposed directly to the network by the port server - is satisfied that it is talking to a trusted user, it will continue to accept any commands fired its way, via the public-facing port server acting as a TCP proxy.

An attacker therefore just has to wait for a valid user to authenticate before hijacking the machinery by firing his or her own commands at the open TCP port. Cisco devices have addition controls to timeout sessions, but otherwise defences against the attack are few and far between, Rapid7 warns:

The end result is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports exposed either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.

Claudio Guarnieri, a security researcher at Rapid7, told El Reg the range of vulnerable systems accessible via serial-to-Ethernet converters included medical devices, traffic control systems, fleet tracking networks and even gas and oil pipelines. The common problem in all cases was either weak or nonexistent authentication checks.

"You have to know how to look for these systems but they're out there," Guarnieri explained. "Once in, anything from raising the temperature in a chemical tank to controlling the traffic lights in a city might be possible. You could shut down the power grid."

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.