Serial killer hack threat to gas pipes, traffic lights, power plants

How the vulnerable systems were found

Rapid7 used three sets of data to identify open serial consoles as part of its research. The first pool of information came from the controversial Internet Census 2012, specifically an index of devices with open TCP ports 2001 to 2010 and 3001 to 3010. These ports were selected because they are commonly used by Digi and Lantronix serial-to-Ethernet converters configured as TCP proxies.

Secondly, connections to port 771 were analysed to detect Digi gear running proprietary RealPort services. These RealPort servers were queried to obtain the identification banners from the machinery attached to the serial ports.

Overall, thousands of unique serial lines were exposed, each offering some form of system shell, console, data feed, or administrative menu, according to Rapid7:

Over 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community "public". Over 95,000 of these systems were exposed to the internet through mobile connections such as GPRS, EDGE, and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP).

FTP banners were used to identify another 8,000 Digi devices. Another 500 Lantronix systems were identified using their telnet banners. Web server headers, SSL certificates, and telnet prompts were useful, but generally not conclusive on their own to identify serial port servers.

Rapid7 embarked on the research to look into the exposure of serial ports on the internet. However as the study progressed it became clear that many of these servers are also used to manage other types of physical connections.

For example, building security systems may be connected to computers via Digi networking gear, but instead of using a serial port to hook up sensors and locks, the Digi device drives and monitors custom output and input signal lines to and from the security alarms and sensors, respectively.

And in some cases, organisations may not be aware that serial ports could be exposed to the public internet via the mobile phone network: a misconfiguration could expose the hardware when connected via a port server that has cellular network capabilities.

Rapid7 has written Metasploit modules to identify and assess public-facing serial port servers made by Digi International. In addition, the security tools firm has published recommendations on how to reduce the risk of an attack through an exposed serial port server.

These recommendations include using encrypted management services (using SSL or SSH protocols, for example), setting a strong password and using a non-default username, and scanning the network for vulnerable devices. Rapid7 concludes that the biggest immediate problem is lack of awareness that anything might be amiss:

There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect. There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation.

A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

HD Moore, the developer of Metasploit and chief security officer at Rapid7, gave a presentation on the widespread insecurity of serial port servers at the InfoSec Southwest 2013 conference. ®