There are more than 100,000 vulnerable outdated devices on the Internet, including critical systems ranging from traffic lights to fuel pumps to building heating and cooling systems, according to a security researcher.
H.D. Moore, chief research officer at the security firm Rapid7, showed how he was able to locate and access a hidden layer of vulnerable machines via 114,000 devices known as “serial servers” or “terminal servers,” systems that allow outdated hardware to remotely access the Internet via their serial ports. He discussed his research at the Infosec Southwest conference in Austin, TX.
While there are companies that have modernized their technologies, there are some firms that continue to use older, serial-connected equipment, and have bought networking products made by vendors like Digi and Lantronix to connect those legacy systems to modern networks.
As a result, Moore said quite a few of those older systems are exposed to hackers. “Serial servers act as a glue between archaic systems and the networked world,” Moore wrote in an FAQ accompanying his research. “These devices are widely used and have little built-in security, providing an easy route for attackers to compromise critical systems and confidential data.”
Analyzing a database of a year’s worth of Internet scan results he’s assembled known as Critical.io, as well as other data from the 2012 Internet Census, Moore discovered thousands of devices had no authentication, weak or no encryption, default passwords, or had no automatic “log-off” functionality, leaving them pre-authenticated and ready to access. Although he was careful not to actually tamper with any of the systems he connected to, Moore said he could have in some cases switched off the ability to monitor traffic lights, disabled trucking companies’ gas pumps or faked credentials to get free fuel, sent fake alerts over public safety system alert systems, and changed environmental settings in buildings to burn out equipment or turn off refrigeration, leaving food stores to rot.
About 95,000 of the devices connected via Edge, GPRS and 3G cellular modems, creating connections that Moore said a firewall would not monitor. And in other cases Moore found Virtual Private Network servers and routers connected via the serial servers within corporations’ networks, creating a backdoor for hackers hoping to further penetrate a network or steal data. “It’s an attack vector most people wouldn’t think of,” Moore said. “And it’s not one they’d easily monitor.”
Moore said he is not pointing to Digi or Lantronix security bugs. Rather, the problem is insecure configurations of that equipment by customers who remain unaware of the risks of exposing their serial-connected equipment online. In his presentation to the Infosec audience, he offered a series of remediation steps like enabling authentication and encrypted connections to the serial-connected devices, requiring strong passwords rather than default ones, and setting automatic timeouts rather than requiring users to log off.
“It seems that you could deploy their software securely, but I don’t think anyone does,” Moore said. “It’s more of an issue of education. But some blame should be put on the vendors for not telling their customers how important this is.”
Lantronix declined to comment. But Digi, which sold more than 100,000 of the 120,000 servers connected to vulnerable systems Moore found, said they agree with Moore.
“H.D. Moore is calling attention to an area that Digi is passionate about,” said Digi chief technology officer Joel Young. It goes on to suggest users implement extra hardware to monitor their legacy systems for vulnerabilities.
“No matter how you do it, you have to lock these devices down,” Moore said. “You can’t automatically secure yourself just by adding a piece of equipment.”
Click here to read H.D. Moore’s own blog post on the issue.