aNewDomain.net –- Security vulnerabilities are threatening all kinds of critical infrastructure equipment. We’re talking fuel pumps, traffic lights, industrial control systems and building automation hardware.
According to a study by Rapid7, the vulnerabilities lie at terminal servers that connect such devices to the Internet. That leaves them ripe for hacking by amateurs, professionals, and especially professional-level terrorists. These terminal servers have security vulnerabilities that make them susceptible to tampering and manipulation.
What’s up with these terminal stores. There are more than 114,000 terminal servers — most supplied by Digi International or Lantronix — and they allow relatively easy access to hackers, the study says.
A hacker could fairly easily access the serial ports on the server with Nmap, a pretty garden variety system scanning tool. Once he or she hit upon an active port, they’d gain access to the system and be able to control it right at the command line, researchers said.
Photo credit: Richard Hay for aNewDomain.net
Explained H.D. Moore, chief research officer for Rapid 7, which provided the report:
There is a little awareness of how exposed these devices are and no real push by either users or vendors to improve the situation … the sheer number of critical, bizarre and just plain scary devices connected to the Internet through serial port servers are an indication of just how dangerous the Internet has become.”
Some key systems that the report found vulnerable included: a humidity and temperature oil pipeline monitor, a public emergency notification system and a system for controlling building temperatures and ventilation systems.
There is a lack of awareness in IT systems, bascially, because you’re talking about hardware and systems that IT infrastructure doesn’t really notice or supports. It isn’t unusual for a company to be totally unaware about the existence of terminal servers — so protection just isn’t there.
Plus, there’s a false security. Equipment, often sold as so-called “secured” equipment, doesn’t also secure the terminal servers it’s up to companies to support. But you can’t support what you don’t know.
Joe Weiss, a security consultant for Applied Control Solutions, put it this way:
It’s like getting a toy for Christmas and you pull it out of the box expecting it to run, because the box doesn’t tell you it needs two AA batteries.”
Worse, Weiss noted that, because national security requirements don’t explicity refer to them, electric companies often overlook terminal servers and their vulnerabilities.
Because many terminal servers connect through cellular and 3G networks, they are often outside a firewall and much harder to protect.
“The biggest challenge right now is awareness,” Moore, the Rapid7, said in the alarming report. He continued:
Few organizations are aware that their equipment can be accessed through serial ports connected through … mobile networks. In some cases, the organization may assume that their specific mobile configuration prevents access from the Internet, when that may not be the case. The wide use of mobile connections makes detection and response much more difficult.”
Organizations are able to lower the risk of an attack through an exposed serial port server by just taking a few steps, Moore said:
- Stick with encrypted management services (SSL/SSH)
- Set strong passwords and non-default usernames
- Scan for and disable ADDP — wherever you find it on any system
- Always require authentication to access serial ports
- Make sure you enable RealPort authentication and encryption for Digi
- Use SSH instead of Ttelnet and direct-mapped ports
- Enable inactivity timeouts for serial consoles
- Enable remote event logging
- Audit uploaded scripts
Based in Silicon Valley, Chandler Harris is a senior editor at aNewDomain.net. He has written for numerous publications including Entrepreneur, San Jose Magazine, Government Technology, Public CIO, AllBusiness.com, U.S. Banker, Digital Communities Magazine, Converge Magazine, Surfer’s Journal, Adventure Sports Magazine, and the San Jose Business Journal.