Feeds

Serial killer hack threat to gas pipes, traffic lights, power plants

'You could shut down the electricity grid' warns security biz

Securing Web Applications Made Simple and Scalable

How the vulnerable systems were found

Rapid7 used three sets of data to identify open serial consoles as part of its research. The first pool of information came from the controversial Internet Census 2012, specifically an index of devices with open TCP ports 2001 to 2010 and 3001 to 3010. These ports were selected because they are commonly used by Digi and Lantronix serial-to-Ethernet converters configured as TCP proxies.

Secondly, connections to port 771 were analysed to detect Digi gear running proprietary RealPort services. These RealPort servers were queried to obtain the identification banners from the machinery attached to the serial ports.

Overall, thousands of unique serial lines were exposed, each offering some form of system shell, console, data feed, or administrative menu, according to Rapid7:

Over 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community "public". Over 95,000 of these systems were exposed to the internet through mobile connections such as GPRS, EDGE, and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP).

FTP banners were used to identify another 8,000 Digi devices. Another 500 Lantronix systems were identified using their telnet banners. Web server headers, SSL certificates, and telnet prompts were useful, but generally not conclusive on their own to identify serial port servers.

Rapid7 embarked on the research to look into the exposure of serial ports on the internet. However as the study progressed it became clear that many of these servers are also used to manage other types of physical connections.

For example, building security systems may be connected to computers via Digi networking gear, but instead of using a serial port to hook up sensors and locks, the Digi device drives and monitors custom output and input signal lines to and from the security alarms and sensors, respectively.

And in some cases, organisations may not be aware that serial ports could be exposed to the public internet via the mobile phone network: a misconfiguration could expose the hardware when connected via a port server that has cellular network capabilities.

Rapid7 has written Metasploit modules to identify and assess public-facing serial port servers made by Digi International. In addition, the security tools firm has published recommendations on how to reduce the risk of an attack through an exposed serial port server.

These recommendations include using encrypted management services (using SSL or SSH protocols, for example), setting a strong password and using a non-default username, and scanning the network for vulnerable devices. Rapid7 concludes that the biggest immediate problem is lack of awareness that anything might be amiss:

There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect. There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation.

A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

HD Moore, the developer of Metasploit and chief security officer at Rapid7, gave a presentation on the widespread insecurity of serial port servers at the InfoSec Southwest 2013 conference. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.