A large number of terminal servers, which are also called serial port servers and are used to provide remote access to non-networked equipment such as point-of-sale systems and environmental controls, are at risk of becoming the targets of vulnerability exploits. Rapid7 researcher HD Moore recently presented a study and published an accompanying blog post showing that more than 114,000 serial port servers are accessible over the internet, with a significant share offering administrative access to connected systems.
Misconfiguration of and a lack of substantial built-in software security in devices from the two primary serial port server manufacturers, Digi International and Lantronix, means that attackers have an easy vector for accessing a variety of business critical systems, Rapid7 noted. Serial servers enable organizations to connect legacy systems with a networked environment, and they are often used to manage equipment and tools such as retail POS systems, HVAC and ICS equipment, vehicle fleet and cargo location trackers, traffic signals and telecom infrastructure. Among the exposed systems discovered in Rapid7’s research were a coal-mining firm’s cargo tracking tool, which attackers could use to stream train GPS coordinates, and a national dry cleaning chain’s employee terminals, on which attackers could access payment information.
Too much connectivity, too much trust
Serial servers are generally connected via Ethernet, but many also connect to the internet using wireless modems that support 3G and 4G networks. This type of mobile connectivity places devices outside of firewalls, making them difficult to secure, Moore explained. The problem is compounded by the fact that remote serial port connections are rarely encrypted. There are three common access methods: login over telnet, SSH or web interface; connection to a specific TCP port and access over a proprietary protocol using vendor-specific software. The first is more likely to be secure, but the latter two are rarely encrypted and require only a single layer of authentication – or, in many cases, devices do not need authentication because it is assumed they are physically connected to the serial port.
“Serial port servers change the authentication model in two significant ways,” Moore explained on the Rapid7 blog. “First, the concept of trusting a physical port goes out the window when that port is exposed to the internet, especially without an initial layer of authentication. Second, there is a significant difference between a SSH or telnet session and an authenticated serial console. If the user disconnects from SSH or telnet, the session is closed. This is not the case with serial consoles unless the device automatically logs out due to inactivity. Very few systems support inactivity timers on serial consoles.”
Using customized search modules and public sources such as the Shodan search engine, Rapid7 was able to identify more than 13,000 serial ports out of 114,000 accessible IP addresses that offered some level of administrative access to anyone who connects to them. Representatives from Digi and Lantronix both spoke to Computerworld, acknowledging the problem and pointing out that end users need to be more careful in configuring authentication on their products.
Given the small amount of memory in the devices, trusting in the security on the level of the embedded software is not enough, Digi CTO Joel Young told the publication. Users need to supplement security with network-level safeguards. Daryl Miller, vice president of engineering at Lantronix, urged users to implement encryption. According to Moore, however, more could be done to improve security on a device level.
“There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation,” he wrote. “A list of vulnerable organizations can be pulled from public sources such as SHODAN and the Internet Census 2012 data set. The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.”
Manufacturers of networking equipment can strengthen software security by including automated safeguards. Given the vulnerability of these systems, manufacturers of connected devices also need to ensure they are addressing security in their development process with tools such as static analysis software. With more attention paid to security in all aspects of connected devices, from the terminal server level to the embedded software of devices themselves companies can reduce the threat of remote attacks. In the meantime, users can protect themselves by configuring terminal servers to only use encrypted management services, requiring authentication, setting a strong password and enabling inactivity timeouts, Moore noted.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.