Alarmingly, these ports are often connected to modems or serial port servers for remote access to systems too: making for as many as 114,000 serial port servers out there that are accessible from the internet, with more than 95,000 of them connected via mobile providers.
And that’s a big issue: These expose more than 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect, according to Rapid7’s HD Moore, who added that there is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation.
Serial port servers, also known as terminal servers, are designed to allow remote access to the serial port of another device over TCP/IP. They provide remote access to non-networked equipment such as environment controls, industrial automation, and monitoring systems, mainly. But they also provide remote access, location tracking and monitoring of physically mobile systems, including vehicles and cargo containers. They also provide out-of-band access to network and power equipment for the purpose of recovery in the case of an outage.
Moore presented his research on serial port servers at the Infosec Southwest conference, finding that authentication was rarely implemented in serial port configurations. The types of devices exposed ranged from corporate VPN servers to traffic signal monitors. Basically any hacker can find – and tamper with – more than 100,000 of these serial port connections over the internet, including critical systems ranging from traffic lights to fuel pumps to building heating and cooling systems to retail point-of-sale devices.
“If the serial port is connected to a device that requires authentication, such as a Linux server, or a Cisco IOS router, it is theoretically protected from unauthorized access unless the attacker knows the correct password,” Moore explained. “Many serial devices do not require authentication and instead assume that if you are physically connected to a serial port, you probably have the right to configure the system.”
Serial port servers change the authentication model in two significant ways, he added. “First, the concept of trusting a physical port goes out the window when that port is exposed to the internet, especially without an initial layer of authentication,” he explained. “And second, there is a significant difference between a SSH or telnet session and an authenticated serial console. If the user disconnects from SSH or telnet, the session is closed. This is not the case with serial consoles unless the device automatically logs out due to inactivity.”
In other words, an attacker just has to wait for a valid user to authenticate. Once logged in, the attacker can either hijack the serial port connection or wait for them to become idle and then steal a pre-authenticated shell on the target device.
“The biggest challenge right now is awareness,” Moore said. “Few organizations are aware that their equipment can be accessed through serial ports connected through mobile networks. In some cases, the organization may assume that their specific mobile configuration prevents access from the internet, when that may not be the case. The wide use of mobile connections makes detection and response much more difficult.”
There are however some basic steps that can significantly reduce the risk of an attack through an exposed serial port server:
- Only use encrypted management services (SSL/SSH)
- Set a strong password and non-default username
- Scan for and disable ADDP wherever you find it
- Require authentication to access serial ports
- Enable RealPort authentication and encryption for Digi
- Use SSH instead of telnet & direct-mapped ports
- Enable inactivity timeouts for serial consoles
- Enable remote event logging
- Audit uploaded scripts
Moore explained that the stakes are even higher than he originally thought. “Serial port servers were the focus of this research, but as the project progressed it became clear that many of these devices are also used to manage other types of connections,” he explained. “For example, security systems may be connected viaDigi WAN devices, but instead of using a serial port, the Digi device is monitoring signals on GPIO pins. In the case of smart grid power meters, the Digi device was using Zigbee to communicate with the meters, and streaming the data back over MODBUS. Even though the primary use case is often serial port access, these devices are used to connect, translate and proxy much more than that.”