Serial killer hack threat to gas pipes, traffic lights, power plants
Analysis Medical systems to traffic light boxes are apparently wide open to hackers thanks to a lack of authentication checks in equipment exposed to the internet.
That’s according to research from security toolmaker Rapid7, which says it found plenty of essential electronics that can be freely remotely controlled via public-facing serial port servers.
These serial port servers, also known as terminal servers or serial-to-Ethernet converters, pipe data to and from a device’s serial port over the internet. This allows workers to remotely control equipment – from sensors to factory robots – over the web or mobile phone network, which is handy when said machinery doesn’t offer an Ethernet connection.
These serial port servers also pop up alongside systems that track vehicles and cargo containers, and can provide auxiliary access to network and power equipment in case of some disaster.
Serial port servers are about the size of a home internet router with one or more serial ports on one side and an Ethernet interface on the other; some products feature wireless or mobile network connectivity.
Your common or garden serial port server (Credit: Rapid7)
A serial cable is plugged in between the port server and the target device – such as a router, server or industrial control system – and the port server is configured to allow remote access to the device: a user can log into the server via telnet, SSH or a web interface. This could involve typing in a correct username and password to satisfy the port server before the connection is passed onto the equipment.
A good deal of serial-connected machines each assumes that if someone can talk to it via a serial cable then that person is an authorised employee with physical access and thus no security checks are needed: it will accept commands from anyone communicating via its serial port, and thus it trusts the port server.
That’s why a port server should be configured to authenticate remote users, such as requiring a correct username and password combination, before handing over the reins to the sensitive equipment. If you can bypass or defeat the port server, the equipment is yours to control.
Some more paranoid machines require a valid username and password combination to be sent over the serial line, adding an extra level of security beyond the port server’s defences. But, according to Rapid7, too many machines do not have even these minimal levels of security.
How it all falls apart
The equipment’s serial port can also be exposed directly to the network by the Ethernet converter. In this mode, the port server acts as a TCP proxy and removes itself from the equation. Suddenly, the equipment is one step closer to a lurking miscreant.
This configuration allows vendor-specific software, running on a separate computer, to command the equipment over the network or internet via the port server using a proprietary protocol. The software may exchange cryptographic keys with the device to prove it is an authorised controller.
Generally speaking, network connections over TCP/IP typically timeout and die if they are left idle for too long. But connections over serial cables tend to stay active as long as the equipment remains powered up.
Thus, the researchers found that once a device – whose serial port is exposed directly to the network by the port server – is satisfied that it is talking to a trusted user, it will continue to accept any commands fired its way, via the public-facing port server acting as a TCP proxy.
An attacker therefore just has to wait for a valid user to authenticate before hijacking the machinery by firing his or her own commands at the open TCP port. Cisco devices have addition controls to timeout sessions, but otherwise defences against the attack are few and far between, Rapid7 warns:
The end result is that both the TCP proxy and proprietary access protocols lead to a situation where most of the serial ports exposed either require no authentication for an attacker to access. An analysis of internet-exposed serial port servers uncovered over 13,000 root shells, system consoles, and administrative interfaces that did not require authentication, many of which had been pre-authenticated by a valid user.
Claudio Guarnieri, a security researcher at Rapid7, told El Reg the range of vulnerable systems accessible via serial-to-Ethernet converters included medical devices, traffic control systems, fleet tracking networks and even gas and oil pipelines. The common problem in all cases was either weak or nonexistent authentication checks.
“You have to know how to look for these systems but they’re out there,” Guarnieri explained. “Once in, anything from raising the temperature in a chemical tank to controlling the traffic lights in a city might be possible. You could shut down the power grid.”
Next page: How the vulnerable systems were found