Feeds

Serial killer hack threat to gas pipes, traffic lights, power plants

'You could shut down the electricity grid' warns security biz

SANS - Survey on application security programs

Analysis Medical systems to traffic light boxes are apparently wide open to hackers thanks to a lack of authentication checks in equipment exposed to the internet.

That's according to research from security toolmaker Rapid7, which says it found plenty of essential electronics that can be freely remotely controlled via public-facing serial port servers.

These serial port servers, also known as terminal servers or serial-to-Ethernet converters, pipe data to and from a device's serial port over the internet. This allows workers to remotely control equipment - from sensors to factory robots - over the web or mobile phone network, which is handy when said machinery doesn't offer an Ethernet connection.

These serial port servers also pop up alongside systems that track vehicles and cargo containers, and can provide auxiliary access to network and power equipment in case of some disaster.

Serial port servers are about the size of a home internet router with one or more serial ports on one side and an Ethernet interface on the other; some products feature wireless or mobile network connectivity.

Typical serial to Ethernet converters

Your common or garden serial port server (Credit: Rapid7)

A serial cable is plugged in between the port server and the target device - such as a router, server or industrial control system - and the port server is configured to allow remote access to the device: a user can log into the server via telnet, SSH or a web interface. This could involve typing in a correct username and password to satisfy the port server before the connection is passed onto the equipment.

A good deal of serial-connected machines each assumes that if someone can talk to it via a serial cable then that person is an authorised employee with physical access and thus no security checks are needed: it will accept commands from anyone communicating via its serial port, and thus it trusts the port server.

That's why a port server should be configured to authenticate remote users, such as requiring a correct username and password combination, before handing over the reins to the sensitive equipment. If you can bypass or defeat the port server, the equipment is yours to control.

Some more paranoid machines require a valid username and password combination to be sent over the serial line, adding an extra level of security beyond the port server's defences. But, according to Rapid7, too many machines do not have even these minimal levels of security.

How it all falls apart

The equipment's serial port can also be exposed directly to the network by the Ethernet converter. In this mode, the port server acts as a TCP proxy and removes itself from the equation. Suddenly, the equipment is one step closer to a lurking miscreant.

This configuration allows vendor-specific software, running on a separate computer, to command the equipment over the network or internet via the port server using a proprietary protocol. The software may exchange cryptographic keys with the device to prove it is an authorised controller.

Generally speaking, network connections over TCP/IP typically timeout and die if they are left idle for too long. But connections over serial cables tend to stay active as long as the equipment remains powered up.

Thus, the researchers found that once a device - whose serial port is exposed directly to the network by the port server - is satisfied that it is talking to a trusted user, it will continue to accept any commands fired its way, via the public-facing port server acting as a TCP proxy.

An attacker therefore just has to wait for a valid user to authenticate before hijacking the machinery by firing his or her own commands at the open TCP port. Cisco devices have addition controls to timeout sessions, but otherwise defences against the attack are few and far between, Rapid7 warns:

The end result is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports exposed either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.

Claudio Guarnieri, a security researcher at Rapid7, told El Reg the range of vulnerable systems accessible via serial-to-Ethernet converters included medical devices, traffic control systems, fleet tracking networks and even gas and oil pipelines. The common problem in all cases was either weak or nonexistent authentication checks.

"You have to know how to look for these systems but they're out there," Guarnieri explained. "Once in, anything from raising the temperature in a chemical tank to controlling the traffic lights in a city might be possible. You could shut down the power grid."

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.