Feeds

Serial killer hack threat to gas pipes, traffic lights, power plants

'You could shut down the electricity grid' warns security biz

Intelligent flash storage arrays

How the vulnerable systems were found

Rapid7 used three sets of data to identify open serial consoles as part of its research. The first pool of information came from the controversial Internet Census 2012, specifically an index of devices with open TCP ports 2001 to 2010 and 3001 to 3010. These ports were selected because they are commonly used by Digi and Lantronix serial-to-Ethernet converters configured as TCP proxies.

Secondly, connections to port 771 were analysed to detect Digi gear running proprietary RealPort services. These RealPort servers were queried to obtain the identification banners from the machinery attached to the serial ports.

Overall, thousands of unique serial lines were exposed, each offering some form of system shell, console, data feed, or administrative menu, according to Rapid7:

Over 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community "public". Over 95,000 of these systems were exposed to the internet through mobile connections such as GPRS, EDGE, and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP).

FTP banners were used to identify another 8,000 Digi devices. Another 500 Lantronix systems were identified using their telnet banners. Web server headers, SSL certificates, and telnet prompts were useful, but generally not conclusive on their own to identify serial port servers.

Rapid7 embarked on the research to look into the exposure of serial ports on the internet. However as the study progressed it became clear that many of these servers are also used to manage other types of physical connections.

For example, building security systems may be connected to computers via Digi networking gear, but instead of using a serial port to hook up sensors and locks, the Digi device drives and monitors custom output and input signal lines to and from the security alarms and sensors, respectively.

And in some cases, organisations may not be aware that serial ports could be exposed to the public internet via the mobile phone network: a misconfiguration could expose the hardware when connected via a port server that has cellular network capabilities.

Rapid7 has written Metasploit modules to identify and assess public-facing serial port servers made by Digi International. In addition, the security tools firm has published recommendations on how to reduce the risk of an attack through an exposed serial port server.

These recommendations include using encrypted management services (using SSL or SSH protocols, for example), setting a strong password and using a non-default username, and scanning the network for vulnerable devices. Rapid7 concludes that the biggest immediate problem is lack of awareness that anything might be amiss:

There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect. There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation.

A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

HD Moore, the developer of Metasploit and chief security officer at Rapid7, gave a presentation on the widespread insecurity of serial port servers at the InfoSec Southwest 2013 conference. ®

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Internet Security Threat Report 2014
An overview and analysis of the year in global threat activity: identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape.