7/28/2019 Serial Offenders FAQ
1/2
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential
Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717
www.rapid7.co
Serial Offenders: Widespread Flaws in Serial Port Servers
Frequently Asked Questions
What do I need to know?
Thousands of organizations are at risk due to misconfigured
serial servers devices that connect business IT andindustrial
control systems to the internet. These devices are widely used and
have little built-in security, providing aneasy route for attackers
to compromise critical systems and confidential data.
Rapid7 found over 114,000 insecure serial servers connected to
the internet, many of which provided little or no accecontrol to
their connected serial ports. These devices connect to, and hence
expose, a wide range of business-criticasystems, such as:
Retail point-of-sale systems HVAC, SCADA, and ICS equipment
Location tracking of trucks, trains and cargo containers Linux,
BSD, and Unix servers VPN servers, and network devices
What technology does this relate to?
Serial servers, also known as terminal servers or network access
servers, provide remote access to one or more serial
ports over TCP/IP. These devices are designed to allow an
administrator to treat a remote serial port as if it was loca
and to manage devices that are otherwise not connected to the
public internet. Serial servers act as a glue between
archaic systems and the networked world.
Serial servers are used to manage equipment responsible for
industrial control applications, point of sale terminals,
vehicle fleets, traffic signals, cargo tracking, energy systems,
fueling stations, and telecom infrastructure. Although
the most common form of connectivity is Ethernet, many terminal
servers connect to the public internet through
wireless modems, with the latest models supporting 3G and 4G
networks.
Terminal servers support multiple forms of internet connectivity
the most common is Ethernet, but 4G, 3G, GSM,
WiFi, satellite, and modem-based solutions are also widely
used.
The specific vendors included in this research include:
Digi International Lantronix Xyplex
What is the security issue specifically?
Internet-attached serial servers are exposing many organizations
to attack through the combination of weak security
capabilities and common user behavior.
Two specific issues with authentication lead to the exposure of
critical systems.
7/28/2019 Serial Offenders FAQ
2/2
Rapid7 Corporate Headquarters 800 Boylston Street, Prudential
Tower, 29th Floor, Boston, MA 02199-8095 617.247.1717
www.rapid7.co
Serial-port enabled devices often require authentication before
allowing administration or device functionalitythrough the serial
port. The concept of logging off, however, usually requires an
action on the part of the user.If a user accesses a remote serial
port through a terminal server, authenticates, and disconnects, the
serial consois left in an authenticated state. An intruder can
connect to the terminal server and take over the
authenticatedserial console.
Terminal servers often support authentication, but this may only
apply to the administration of the terminal servedevice, and not
actually control access to the attached serial ports. This leads to
a false sense of security amongthe users of these devices.
In additional to the authentication-related issues above, these
devices often suffer from issues common across allembedded
systems:
Default and backdoor credentials left enabled in production
Network services vulnerable to memory corruption flaws Weak or
non-existent encryption of communications Undocumented discovery
services exposedAdditionally, a significant proportion of the
devices identified are connected via cellular and 3G network cards,
which
means they are always outside the firewall. Over 95,000 of the
114,000 total devices found are exposed in a way
that is really difficult to monitor and protect, let alone
secure. This equipment is exposing thousands of critical
systems and a vast amount of confidential data to breach through
trivial attack methods.
Rapid7 has created apresentation and blog postexplaining the
security issues identified by this research:
Who does this affect?
These security flaws affect organizations and their customers
operating in all sectors. Examples include:
A coal mining firm that uses 3G-enabled devices to monitor train
cargo. Connecting to the device results in astream of GPS
coordinates being available over the serial port.
A national chain of dry cleaners that uses these devises to
access the point-of-sale systems at each location. Theserial ports
dump you straight onto the employee terminal, where confidential
payment information can be
accessed.
How did we find this? What was the timeline?
These findings are the result of analysis of data uncovered
through HD Moores critical.io project, which continuously
scanned the global IPv4 internet between February 2012 and March
2013. The project aimed to uncover large-scale
vulnerabilities and security issues as this to help educate
organizations and individuals manage their risk. Rapid7
additionally leveraged data from multiple public sources, as
well as performing further analysis on hardware obtained
from online auction sites. The analysis was conducted in April
2013.
Is this being exploited in the wild? How easy is it for
attackers to take advantage of this?
Rapid7 has not investigated whether these issues are being
exploited in the wild; however, exploitation of a
misconfigured serial server is trivial and we strongly recommend
organizations to take appropriate mitigation steps.
https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servershttps://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servershttps://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servershttps://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers
