Feeds

Serial killer hack threat to gas pipes, traffic lights, power plants

'You could shut down the electricity grid' warns security biz

Secure remote control for conventional and virtual desktops

How the vulnerable systems were found

Rapid7 used three sets of data to identify open serial consoles as part of its research. The first pool of information came from the controversial Internet Census 2012, specifically an index of devices with open TCP ports 2001 to 2010 and 3001 to 3010. These ports were selected because they are commonly used by Digi and Lantronix serial-to-Ethernet converters configured as TCP proxies.

Secondly, connections to port 771 were analysed to detect Digi gear running proprietary RealPort services. These RealPort servers were queried to obtain the identification banners from the machinery attached to the serial ports.

Overall, thousands of unique serial lines were exposed, each offering some form of system shell, console, data feed, or administrative menu, according to Rapid7:

Over 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community "public". Over 95,000 of these systems were exposed to the internet through mobile connections such as GPRS, EDGE, and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP).

FTP banners were used to identify another 8,000 Digi devices. Another 500 Lantronix systems were identified using their telnet banners. Web server headers, SSL certificates, and telnet prompts were useful, but generally not conclusive on their own to identify serial port servers.

Rapid7 embarked on the research to look into the exposure of serial ports on the internet. However as the study progressed it became clear that many of these servers are also used to manage other types of physical connections.

For example, building security systems may be connected to computers via Digi networking gear, but instead of using a serial port to hook up sensors and locks, the Digi device drives and monitors custom output and input signal lines to and from the security alarms and sensors, respectively.

And in some cases, organisations may not be aware that serial ports could be exposed to the public internet via the mobile phone network: a misconfiguration could expose the hardware when connected via a port server that has cellular network capabilities.

Rapid7 has written Metasploit modules to identify and assess public-facing serial port servers made by Digi International. In addition, the security tools firm has published recommendations on how to reduce the risk of an attack through an exposed serial port server.

These recommendations include using encrypted management services (using SSL or SSH protocols, for example), setting a strong password and using a non-default username, and scanning the network for vulnerable devices. Rapid7 concludes that the biggest immediate problem is lack of awareness that anything might be amiss:

There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect. There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation.

A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

HD Moore, the developer of Metasploit and chief security officer at Rapid7, gave a presentation on the widespread insecurity of serial port servers at the InfoSec Southwest 2013 conference. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.