You probably remember serial ports as the ancient nine-pin plugs you once used to hook up your mouse or joystick to your computer in the pre-USB dark ages. But tracking down devices that still use serial port connections isn't so hard, it seems. In fact, according to H.D. Moore, any hacker can find--and tamper with--more than 100,000 of them over the Internet, including critical systems ranging from traffic lights to fuel pumps to building heating and cooling systems to retail point-of-sale devices.
Moore, chief research officer at the security firm Rapid7, presented new research at the Infosec Southwest conference held over the weekend in Austin, Texas, showing how he was able to locate and access a hidden layer of vulnerable machines via 114,000 devices known as "serial servers" or "terminal servers"--systems that allow outmoded hardware to be accessed remotely over the Internet via their serial ports.
Despite serial ports largely going the way of floppy disks and zip drives, some companies have continued to use older, serial-connected equipment, and have bought networking gear made by vendors like Digi and Lantronix to connect those legacy systems to modern networks. As a result, Moore says that many of those outmoded systems have been left entirely exposed to hackers. "Serial servers act as a glue between archaic systems and the networked world," Moore writes in an FAQ accompanying his research. (I've embedded it at the bottom of this post.) "These devices are widely used and have little built-in security, providing an easy route for attackers to compromise critical systems and confidential data."
Analyzing a database of a year's worth of Internet scan results he's assembled known as Critical.io, as well as other data from the 2012 Internet Census, Moore discovered that thousands of devices had no authentication, weak or no encryption, default passwords, or had no automatic "log-off" functionality, leaving them pre-authenticated and ready to access. Although he was careful not to actually tamper with any of the systems he connected to, Moore says he could have in some cases switched off the ability to monitor traffic lights, disabled trucking companies' gas pumps or faked credentials to get free fuel, sent fake alerts over public safety system alert systems, and changed environmental settings in buildings to burn out equipment or turn off refrigeration, leaving food stores to rot.
About 95,000 of the devices were connected via Edge, GPRS and 3G cellular modems, creating connections that Moore says wouldn't be monitored by corporate firewalls. And in other cases Moore found Virtual Private Network servers and routers connected via the serial servers within corporations' networks, creating a backdoor for hackers hoping to further penetrate a network or steal data. "It’s an attack vector most people wouldn’t think of. And it's not one they’d easily monitor," Moore says.
Moore's findings represent an important reminder of security vulnerabilities created by maintaining legacy equipment, says Kevin Finisterre, a senior research consultant for security firm Accuvant who has dealt with serial server insecurities in the past and with whom Moore shared his data. Despite the critical nature of the systems found to be vulnerable in Moore's work, Finisterre says he's not surprised. "Historically, there has been no shortage of stupid things exposed on the Internet," he says.
As for fixing the vulnerable systems he's unveiled, Moore explains that he's not pointing to security bugs in the products sold by Digi International and Lantronix in need of patching. Instead, the problem is insecure configurations of that equipment by customers who aren't aware of the risks of exposing their serial-connected equipment online. In his presentation to the Infosec Southwest audience, he offered a series of remediation steps like enabling authentication and encrypted connections to the serial-connected devices, requiring strong passwords rather than default ones, and setting automatic timeouts rather than requiring users to log off.
"It seems that you could deploy their software securely, but I don’t think anyone does," says Moore. "It’s more of an issue of education. But some blame should be put on the vendors for not telling their customers how important this is."
Lantronix declined to comment. But Digi, which sold more than 100,000 of the 120,000 servers connected to vulnerable systems Moore found, sent me a statement from its chief technology officer Joel Young saying that he agrees with Moore's warnings and fix recommendations. "H.D. Moore is calling attention to an area that Digi is passionate about," reads the statement. It goes on to suggest users implement extra hardware to monitor their legacy systems for vulnerabilities. "Especially for the Internet of Things where so many things will be connected wirelessly, we believe a good security policy monitored 24x7x365 by the resources of a device cloud is a great answer--A device cloud that can set off an alarm if something has not been configured properly, or if a default password has been left in place, or if an unsecure access method has been left on."
According to Moore, that statement seems to refer to another Digi product known as iDigi, designed to automatically manage large collections of networked devices. But Moore says that adding another management tool is no quick fix. Much of the legacy equipment Moore found wasn't even compatible with iDigi, he says.
"No matter how you do it, you have to lock these devices down," he says. "You can’t automatically secure yourself just by adding a piece of equipment."
Read the full FAQ on serial server vulnerabilities from Moore and Rapid7 here, or embedded below, and check out H.D. Moore's own blog post on the issue here.
__
Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.
