Serial port servers are admittedly old school technology that you might think had been phased out as new IT, SCADA and industrial control system equipment has been phased in. Metasploit creator HD Moore cautions you to think again.
Moore recently revealed that through his Critical IO project research, he discovered 114,000 such devices connected to the Internet, many with little in the way of authentication standing between an attacker and a piece of critical infrastructure or a connection onto a corporate network. More than 95,000 of those devices were exposed over mobile connections such as 3G or GPRS.
Serial port servers, also known as terminal servers, provide control system or IT administrators with remote access to non-networked equipment, enable tracking of physically mobile systems, or out-of-band communication to network and power equipment in case of outages. Not only do they provide serial port connections to devices, but many are wireless-enabled.
“The thing that opened my eyes was looking into common configurations; even if it required authentication to manage the device itself, it often didn’t require any authentication to talk to the serial port which is part of the device,” Moore told Threatpost. “At the end of the day, it became a backdoor to huge separate systems that shouldn’t be online anyway. Even though these devices do support authentication at various levels, most of the time it wasn’t configured for the serial port.”
Attackers who are able to gain access to the serial port are golden because once they’re on the server, the device assumes they are physically present and doesn’t require an additional log-in, Moore said. Making matters worse, he added, automatic log-offs are not enabled.
“So an administrator who logged into a device like an industrial control system, an attacker can follow behind them and take over an authenticated session to a serial port,” Moore said. “There are a huge number of devices out there are exposing an interactive administrative or command shell without any authentication because an administrator had previously authenticated and left the session open.”
An attacker with essentially undetectable access is able to capture or manipulate data moving through the serial port. Moore said it would be possible to add a signature to the device, for example that any time the word password appears, that UDP packet and the entire serial session could be mailed to a third party.
“If you’re looking to steal data, you could write a rule where it emails you the data you care about as it floats across the serial port,” he said, adding that attackers could mess with anything from HVAC, to oil pipelines, traffic signal or even corporate VPN connections, essentially opening a backdoor into a company’s networked resources.
Access to a remote serial port happens via a log-in over telnet, SSH or Web interface, Moore said. You could also connect to a specific TCP port that acts as a proxy for the serial port. Telnet, SSH or a Web interface requires authentication, however, an attacker could telnet into a TCP connection without authentication because the devices are configured under the assumption that anyone with access is physically connected to the serial port. Moore said he found more than 13,000 root shells, system consoles and admin interfaces that did not require authentication or were pre-authenticated. However, Moore said he was unaware of any attacks.
“Seeing how much stuff that’s out there, it’s kind of surprising no one has,” Moore said. “You don’t need to know anything about serial ports to start exploiting this stuff. If you scan, you start seeing random authenticated router shells popping up. For an attacker, they don’t have to know that’s a serial port, they’ll just say ‘hey cool, a shell.’”
As far as remediation, Moore said he is trying to bring awareness to the issue now and is encouraging companies to only use encrypted management services, require authentication for serial ports, enable activity timeouts for serial consoles and other best practices.
Photo courtesy HD Moore.