A researcher at Rapid7 has discovered that some 114,000 misconfigured serial port servers that connect business IT and industrial control systems to the Internet are at risk of compromise.
According to Rapid7’s HD Moore, serial port servers, also known as terminal servers, are designed to allow remote access to the serial port of another device over TCP/IP. These devices provide remote access to non-networked equipment as well as remote access, location tracking and monitoring of physically mobile systems such as vehicles and cargo containers. The devices also provide out-of-band access to network and power equipment for the purposes of recovery.
The problem is that many of these serial devices do not require authentication, and instead assume that if a user is physically connected to a serial part, he or she probably has the right to configure the system, he blogged.
“Serial port servers change the authentication model in two significant ways,” he explained. “First, the concept of trusting a physical port goes out the window when that port is exposed to the internet, especially without an initial layer of authentication. Second, there is a significant difference between a SSH or telnet session and an authenticated serial console. If the user disconnects from SSH or telnet, the session is closed. This is not the case with serial consoles unless the device automatically logs out due to inactivity.”
“The end result,” he continued, “is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports they expose either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.”
In a presentation for InfoSec Southwest 2013, Moore revealed that more than 114,000 unique IPs were identified as either Digi International or Lantronix serial port servers using the Simple Network Management Protocol (SNMP) with the community “public.” More than 95,000 of these systems were exposed on the Web through mobile connections such as GPRS, EDGE and 3G, while another 14,000 unique IPs were identified running Digi or Digi-based devices using Digi’s proprietary Advanced Device Discovery Protocol (ADDP).
Some 8,000 Digi devices were identified via FTP banners, and another 500 Lantronix systems were identified using their telnet banners.
“Three sets of data were used to identify open serial consoles,” Moore explained. “First, the Internet Census 2012 data was analyzed for TCP ports 2001-2010 and 3001-3010. These ports are commonly used by Digi and Lantronix devices as TCP proxies for the first 10 configured serial ports. Second, the raw responses for port 771 were analyzed to detect instances of the RealPort proprietary service used by Digi serial port servers. Finally, the devices running the RealPort service were queried to obtain the banners from each attached serial ports. The final result was a set of banners that could be matched against common serial console and device menu fingerprints.”
“Overall, a little over 13,000 unique serial ports were exposed that offered some form of system shell, console, data feed, or administrative menu,” he added.
There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation, Moore blogged, who added that a list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set.
“The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become,” he blogged.
