Thousands of SCADA, ICS Devices Exposed Through Serial Ports

Trailrunner7 writes "Serial port servers are admittedly old school technology that you might think had been phased out as new IT, SCADA and industrial control system equipment has been phased in. Metasploit creator HD Moore cautions you to think again. Moore recently revealed that through his Critical IO project research, he discovered 114,000 such devices connected to the Internet, many with little in the way of authentication standing between an attacker and a piece of critical infrastructure or a connection onto a corporate network. More than 95,000 of those devices were exposed over mobile connections such as 3G or GPRS. 'The thing that opened my eyes was looking into common configurations; even if it required authentication to manage the device itself, it often didn't require any authentication to talk to the serial port which is part of the device,' Moore told Threatpost. 'At the end of the day, it became a backdoor to huge separate systems that shouldn't be online anyway. Even though these devices do support authentication at various levels, most of the time it wasn't configured for the serial port.'"

Dupe

[hackshack]

Jan 10: Thousands of SCADA Devices Discovered on the Open Internet

Best part is, it's the same submitter. And y'all wonder why /. is dying.

Re:Dupe

Not a dupe. The SCADA segment bit is overlap, but the access method is different. This issue applies to more than SCADA, some thousands of unsecured serial port proxies were actually modern Linux and FreeBSD serial consoles, conveniently preauthenticated as root.

Re:How is this news?

[The+MAZZTer]

There is hardware called "Remote Access Servers" that allow you to forward serial connections over a network connection via SSH or whatever.

Ubiquitous internet actually makes this worse

[mpoulton]

Back in the olden days, equipment like this had serial port configuration interfaces which were intended for use by nearby administrators, via terminals and small local networks with no connectivity beyond the local facility. If longer distance administration was required, it was over dedicated copper loops. The internet was simply not used for these kinds of systems, and the idea that those devices would ever end up on a globally-accessible network with millions of untrusted devices was incomprehensible. As technology developed and the internet took over as the primary means of long-distance networked communication, these legacy devices were incorporated into a network environment that their engineers had never even considered. It's just not what they were made for. The devices are not to blame. Engineers and administrators who put them on public networks certainly are.

Re:Ubiquitous internet actually makes this worse

[Darinbob]

Don't treat these all as legacy devices either. Brand new devices manufactured today still have serial ports. They're often on protocols other than a simple command line, and an RS232 or RS485 connection are robust and versatile.

The alternative to a serial port with command line? Ethernet with command line, which is every bit as insecure. All the article really points out is that sometimes people forget about security, since there is nothing inherently insecure about a serial port. I just read this as people being surprised that technology from the past is still in use; next up complaints about how we still use archaic concepts like the wheel, inclined plane, and lever.

Ie, get a secure connection to the terminal server, then normal serial port to the actual device. No one is going to be snooping on the serial line itself any more than they'd be snooping on the ethernet cable. The insecure part is the internet.

Re:Ubiquitous internet actually makes this worse

[perpenso]

That's the issue when people use security by obscurity. The obscurity was the difficulty in networking the serial port. Anything made in the past 20 years should have had an Ethernet port and real security. Yes, even this SCADA stuff.

Its more security through physical access, not so much obscurity. The original intent was probably to give a tech in the room, or a user in a nearby room, access. Also its the ease of turning a serial port into a remote connection that is at the heart of the problem.

YMMV but such stuff I worked on in the 90s had multilevel (user, tech, admin, ...) passwords, even on serial port access. Ethernet or serial port, it makes no difference when the site does not change the passwords from their factory settings.

Re:Ubiquitous internet actually makes this worse

[Darinbob]

Not necessarily. That ethernet port has no security by default either. All it's going to be on a 20 year old machine is a bare telnet port to the command line, and that's likely what you have on more modern devices too. So identical security issues from a telnet into a server to serial port as opposed to direct telnet into the device (and yes, many serial port interfaces can be configured with passwords and time outs).

Re:Ubiquitous internet actually makes this worse

[fluffy99]

In the systems I've seen, they are using stuff like MoxaPorts for serial to ethernet. It's done as either serial to serial tunneling over ethernet, or one side is a computer with the lantronix serial redirector client installed. The devices require a password to configure, but typically access to the serial port is simply telneting to port 10001 and there is zero security unless the serial port on the device has access controls. Engineers like the simplicity of setting it up and usually don't consider that everyone else on the network can too.

Re:Ubiquitous internet actually makes this worse

[AK+Marc]

It was *never* deployed that way. Every single serial port was networked. Run back to a server of some kind. I've never seen a SCADA network that didn't have a central console with miles of copper networking every port. The SCADA console was usually not networked, but was more likely as time went on that it was networked. Then you ended up with serial aggregators being networked, and the SCADA console being networked, and no more direct connection between the master and controlled devices.

Usually, the network was designed by the engineers who operate the equipment, and no IT person knows more about tech than a licensed PE (so the PEs assert), and so it's usually about as bad as possible and still be functional.

YMMV but such stuff I worked on in the 90s had multilevel (user, tech, admin, ...) passwords, even on serial port access. Ethernet or serial port, it makes no difference when the site does not change the passwords from their factory settings.

I don't doubt it, but the last serial port I connected to a computer was hooked up to the Internet. There was no password on the serial port (no password could be added to it), and a misconfiguration could damage a $500,000,000 device. This was 2 years ago on a device that is still available new today.

Re:Ubiquitous internet actually makes this worse

[AK+Marc]

security through obscurity is having a known flaw (And a password isn't a flaw) and the principle security is hiding that flaw. Open access to a serial port "secured" only because the IP isn't known is security through obscurity.

Re:How is this news?

[interval1066]

Try to convince an old plant manager he needs vpn. Try to explain to him what one is.

With "smart grid" or "smart cities" coming

[presidenteloco]

Infrastructure devices will have to be internetworked on a large scale.

Just saying "air gap" it is I'm afraid a trite solution that will not meet the "smart grid" requirement to adjust energy flows dynamically based on a mixture of large-area and local algorithms.

So, aside from "air gap", what do people propose for securing widely internetworked smart critical infrastucture?
1. Use a second physically completely separate Internet for infrastructure only?
2. Work harder on secure tunnelling technology, put it on the "real" Internet, and use security management best practices?
3. What else?

Re:How is this news?

[dreamchaser]

Try to convince an old plant manager he needs vpn. Try to explain to him what one is.

It isn't as hard as you might think. "Do you lock the door to your house? A VPN is like that for your data."

It isn't a great analogy but trust me, it works. I've used it quite a few times.

Re:Oh shit! Call the security police!

[fuzzyfuzzyfungus]

If it weren't relatively common to find some flavor of modem(POTS or cellular) slapped on to the serial port, that might be slightly more comforting...

That's the great thing about serial ports. Thanks to standardization since the 80s sometime, you can make them vulnerable to the outside for under $100, and in way likely to strike users as 'convenient'!

Define "old" ...

[perpenso]

Try to convince an old plant manager he needs vpn. Try to explain to him what one is.

Define "old". Some 50 year olds were playing with TRS-80, Commodore PET and Apple II computers when they were kids in high school. I think we are at, or soon will be, past the point where "old" equates to unfamiliarity with digital technology.

Re:Define "old" ...

Some day you'll be at the point where you don't equate 50 with "old."

Re: How is this news?

[dogsbreath]

er. . . Typically these are tied to dial up modems or to IP port servers. They are used to access systems when the secure front door is unavailable due to Internet outages, firewall problems or the access gateway being unavailable.

You would not think anyone would be so dumb to set these up but sone may be legacy, or put in place by a local hero sysadmin.

It may even be, get this, a contractually required remote support access point. Many vendors have a very limited concept of what is required to prevent unauthorized access. One vendor sales guy told me that it was secure because no one would know about the dial up number and they had no reported break ins at other installations.

Sigh.

Of course there are ways of providing secure alternative access paths but there are a lot of folk who are under the impression that obscurity is sufficient.

Another issue besides the lack of authentication is the lack of logging and activity reporting. One outfit I did some work for spent a dinghy full of large bills on an IPS for the network side but would not pay for caller ID on their dial-up access point. Against their financial responsibility policy to pay for frivilous monthly charges.

ICS?

[ArcadeMan]

Anyone else read the title as "Thousands of SCADA, Ice Cream Sandwich devices exposed through serial ports"?

Re: How is this news?

[skids]

You would not think anyone would be so dumb to set these up but some may be legacy, or put in place by a local hero sysadmin.

A lot of these are spare aux or console ports on Cisco routers. The actual syntax used to set one up is a bit contorted, so it's possible for someone inexperienced who is following crib notes to think they are just enabling access to the serial port from the router commandline when in fact they are also enabling an alternate telnet/ssh port.

Also a few of the newer platforms coming out from Cisco include the ability to run a linux server on the second core ("embedded service module") and the default configuration has a rather permissive "transport output" statement on the emulated serial port joining the IOS to the ESM.

LOM has mitigated the need for most of these setups, but there is still gear where the only reliable rescue console is on the serial port.

Re:How is this news?

[jawtheshark]

I like to use the following comparison: A VPN is like pulling a real cable between two machines that are separated over a large (or even short) distance.

Legacy? Think again

[benro03]

Frequently I am called upon to work on a device remotely and the only way to access it without being constantly disconnected is through a service processor attached to a serial port or a serial port server. Proper troubleshooting involves being able to reboot a device without being disconnected, read the boot messages as they appear, and be able to access a maintenance or BIOS manager to fix it.

The security is there, it has to be properly implemented with a policy to follow and back it up. All of these do have security that at the very least is SSH (Cisco anyone?) and most times behind a firewall that is only accessible through a VPN. And even once you're VPN'd in, there is some form of authentication to go through to get to the serial device.

You can't call something legacy simply because it's been around for a long time. Legacy means that it's dropped out of widespread use and is only used in a few places if at all. Is TCP/IP legacy? It was created in the early 70's, but it's not. Is UNIX legacy? Same thing, only it's older. Floppy disks? Yeah, that's legacy. CD-ROM? Not yet, but getting there. Water cooling? Yep - Nope, it's making a comeback. Serial port? Maybe on a laptop, but every enterprise level device has some way to access the console away from ethernet and that invariably is serial.

Re: "Shouldn't be online"

[cusco]

Just cameras? You should see the physical security forums on LinkedIn. About once a month a person asks how to let his customer access their security system at a remote site and a busload of people immediately spout "DDNS". When I point out that there is no security on that they get all huffy and reply "We always turn on the firewall in Windows!" Feels like 1999 all over again.

I wouldn't worry about serial port servers much, that's really a case where 'security by obscurity' kind of works.

"Hey, a serial port! Let's send it some random ASCII commands!"

"Is it doing anything?"

"I don't know, can't tell. Screw this, let's play some more WoW."