A survey conducted by the firm Rapid 7 has found evidence that widespread vulnerabilities and insecure configuration of ubiquitous networking components known as serial port (or “terminal”) servers, may expose a wide range of companies and critical assets – including point of sale terminals, ATMs and industrial control systems – to remote cyber attacks.(*)
The vulnerable devices connected hardware like retail point-of-sale systems at a national chain of dry cleaners, providing direct access to employee terminals from which customer payment information could be accessed. Other exposed systems were used to monitor the location of cargo containers, train cargo as well as HVAC and industrial control systems, Rapid7 said.
In the Rapid7 survey, over 114,000 unique IPs were identified in a scan using the Simple Network Management Protocol (SNMP), the vast majority manufactured by one company: Digi International. If left unaddressed, the vulnerable devices give remote attackers direct, administrative access to hardware devices connected to the serial servers, Moore warned in a blog post Tuesday.
“The results were pretty scary,” Moore wrote. “Authentication was rarely implemented and the types of devices exposed ranged from corporate VPN servers to traffic signal monitors.”
Serial port servers are straight forward devices akin to a home router with one or more serial ports on one side and an ethernet, wireless, or mobile interface on the other. They’re used to give organizations remote network access to devices that rely on physical, serial connections. Companies connect the serial server to one or more target devices, such as a router, server, or industrial control system. The serial port server is then configured to allow remote access to this port using an internal management interface.
Rapid7 found that access to the administrative interfaces was reliably secure, requiring both a user name and password to access. The serial connections were another matter, and rarely required remote users to authenticate before communicating with the serial port. That means that anyone who knows the address of the port could connect to it directly, without authenticating, and begin sending commands directly to the connected device, Moore said.
When serial connections were physical – wires plugged into physical ports – such a “trust” assumption was understandable. But serial port servers change the authentication model, providing a bridge between the physical connection and the public Internet that can be exploited, Moore wrote.
“The concept of trusting a physical port goes out the window when that port is exposed to the Internet, especially without an initial layer of authentication,” he wrote.
Just as significant: the serial servers analyzed by Rapid7 treated sessions as if the connection were physical. So inactive sessions remain open, rather than timing out, until a user manually terminated them or a device was rebooted or taken offline, Moore said.
“An attacker just has to wait for a valid user to authenticate. Once logged in, the attacker can either hijack the serial port connection or wait for them to become idle and then steal a pre-authenticated shell on the target device.”
Moore’s analysis uncovered 13,000 such systems, with root shells, system consoles, and administrative interfaces that did not require authentication. Many of those had been hijacked by attackers using TCP or proprietary protocols after a valid user had authenticated to the device, then let the session fall idle.
“These attacks a straight forward, but obscure,” Moore told The Security Ledger.
Attackers can easily identify serial servers with scanning tools like the SHODAN search engine or data sets like The Internet Census for devices using TCP ports 2001-2010 and 3001-3010. Those ports that are commonly used by devices from Digi and Lantronix, another vendor, as TCP proxies for the first 10 configured serial ports, Moore wrote.
Moore also scanned for devices using RealPort, a proprietary protocol used by Digi serial port servers. Of the 13,000 unique serial ports that Moore found exposed, all offered some form of system shell, console, data feed, or administrative menu to attackers.
It’s unclear if attacks on serial servers have been used as an element in attacks. Moore said the devices are common in industries that are known to be the target of sophisticated, nation-backed attackers, such as the oil and gas industry. There, serial servers allow companies to communicate with remote, field devices.
“It appears that he is highlighting user practices in configuration of security features or in the implementation of security policies. HD Moore is calling attention to an area that Digi is passionate about,” the company said. “We’re reaching out to Mr. Moore to see if there are things we can learn from his efforts, or ways to partner with him to educate … implementers.”
“In Mr. Moore’s recent presentation, he made some Remediation recommendations that we agree with and often recommend to customers. He offers an excellent summary of good security policies for users to adhere to,” Digi said.
Digi said that in the fast-emerging environment of always-connected, IP enabled devices, there needs to be constant security and policy monitoring, possibly in a cloud-based service “A Device Cloud that can set off an alarm if something has not been configured properly, or if a default password has been left in place, or if an unsecure (sp) access method has been left on.”
(*) Editor’s Note: Updated to add comment from Digi. – PFR 4/24/2013