Original URL: http://www.theregister.co.uk/2013/04/29/serial_port_security_threat/

Serial killer hack threat to gas pipes, traffic lights, power plants

'You could shut down the electricity grid' warns security biz

By John Leyden

Posted in Security, 29th April 2013 09:04 GMT

Analysis Medical systems to traffic light boxes are apparently wide open to hackers thanks to a lack of authentication checks in equipment exposed to the internet.

That's according to research from security toolmaker Rapid7, which says it found plenty of essential electronics that can be freely remotely controlled via public-facing serial port servers.

These serial port servers, also known as terminal servers or serial-to-Ethernet converters, pipe data to and from a device's serial port over the internet. This allows workers to remotely control equipment - from sensors to factory robots - over the web or mobile phone network, which is handy when said machinery doesn't offer an Ethernet connection.

These serial port servers also pop up alongside systems that track vehicles and cargo containers, and can provide auxiliary access to network and power equipment in case of some disaster.

Serial port servers are about the size of a home internet router with one or more serial ports on one side and an Ethernet interface on the other; some products feature wireless or mobile network connectivity.

Typical serial to Ethernet converters

Your common or garden serial port server (Credit: Rapid7)

A serial cable is plugged in between the port server and the target device - such as a router, server or industrial control system - and the port server is configured to allow remote access to the device: a user can log into the server via telnet, SSH or a web interface. This could involve typing in a correct username and password to satisfy the port server before the connection is passed onto the equipment.

A good deal of serial-connected machines each assumes that if someone can talk to it via a serial cable then that person is an authorised employee with physical access and thus no security checks are needed: it will accept commands from anyone communicating via its serial port, and thus it trusts the port server.

That's why a port server should be configured to authenticate remote users, such as requiring a correct username and password combination, before handing over the reins to the sensitive equipment. If you can bypass or defeat the port server, the equipment is yours to control.

Some more paranoid machines require a valid username and password combination to be sent over the serial line, adding an extra level of security beyond the port server's defences. But, according to Rapid7, too many machines do not have even these minimal levels of security.

How it all falls apart

The equipment's serial port can also be exposed directly to the network by the Ethernet converter. In this mode, the port server acts as a TCP proxy and removes itself from the equation. Suddenly, the equipment is one step closer to a lurking miscreant.

This configuration allows vendor-specific software, running on a separate computer, to command the equipment over the network or internet via the port server using a proprietary protocol. The software may exchange cryptographic keys with the device to prove it is an authorised controller.

Generally speaking, network connections over TCP/IP typically timeout and die if they are left idle for too long. But connections over serial cables tend to stay active as long as the equipment remains powered up.

Thus, the researchers found that once a device - whose serial port is exposed directly to the network by the port server - is satisfied that it is talking to a trusted user, it will continue to accept any commands fired its way, via the public-facing port server acting as a TCP proxy.

An attacker therefore just has to wait for a valid user to authenticate before hijacking the machinery by firing his or her own commands at the open TCP port. Cisco devices have addition controls to timeout sessions, but otherwise defences against the attack are few and far between, Rapid7 warns:

The end result is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports exposed either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.

Claudio Guarnieri, a security researcher at Rapid7, told El Reg the range of vulnerable systems accessible via serial-to-Ethernet converters included medical devices, traffic control systems, fleet tracking networks and even gas and oil pipelines. The common problem in all cases was either weak or nonexistent authentication checks.

"You have to know how to look for these systems but they're out there," Guarnieri explained. "Once in, anything from raising the temperature in a chemical tank to controlling the traffic lights in a city might be possible. You could shut down the power grid."

How the vulnerable systems were found

Rapid7 used three sets of data to identify open serial consoles as part of its research. The first pool of information came from the controversial Internet Census 2012, specifically an index of devices with open TCP ports 2001 to 2010 and 3001 to 3010. These ports were selected because they are commonly used by Digi and Lantronix serial-to-Ethernet converters configured as TCP proxies.

Secondly, connections to port 771 were analysed to detect Digi gear running proprietary RealPort services. These RealPort servers were queried to obtain the identification banners from the machinery attached to the serial ports.

Overall, thousands of unique serial lines were exposed, each offering some form of system shell, console, data feed, or administrative menu, according to Rapid7:

Over 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community "public". Over 95,000 of these systems were exposed to the internet through mobile connections such as GPRS, EDGE, and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP).

FTP banners were used to identify another 8,000 Digi devices. Another 500 Lantronix systems were identified using their telnet banners. Web server headers, SSL certificates, and telnet prompts were useful, but generally not conclusive on their own to identify serial port servers.

Rapid7 embarked on the research to look into the exposure of serial ports on the internet. However as the study progressed it became clear that many of these servers are also used to manage other types of physical connections.

For example, building security systems may be connected to computers via Digi networking gear, but instead of using a serial port to hook up sensors and locks, the Digi device drives and monitors custom output and input signal lines to and from the security alarms and sensors, respectively.

And in some cases, organisations may not be aware that serial ports could be exposed to the public internet via the mobile phone network: a misconfiguration could expose the hardware when connected via a port server that has cellular network capabilities.

Rapid7 has written Metasploit modules to identify and assess public-facing serial port servers made by Digi International. In addition, the security tools firm has published recommendations on how to reduce the risk of an attack through an exposed serial port server.

These recommendations include using encrypted management services (using SSL or SSH protocols, for example), setting a strong password and using a non-default username, and scanning the network for vulnerable devices. Rapid7 concludes that the biggest immediate problem is lack of awareness that anything might be amiss:

There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect. There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation.

A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

HD Moore, the developer of Metasploit and chief security officer at Rapid7, gave a presentation on the widespread insecurity of serial port servers at the InfoSec Southwest 2013 conference. ®