New Tech Lets Hackers Break Into Old Devices
Two serial port servers; the Lantronix at left connects to Ethernet, while the Digi at right uses Wi-Fi.
CREDIT: Lantronix/Digi International
Gas pumps, streetlights, heating systems, cash registers: You wouldn't think of these things as Internet-equipped, much less hackable. But not only can hackers take over these and more common everyday systems — it's absurdly easy for them to do so.
The security vulnerability comes from outdated pieces of hardware called serial ports. You might remember them as those nine-pin or 25-pin connectors you'd plug into your joysticks and IBM laptops back in the day. Serial ports on PCs have largely gone the way of the floppy disk, but plenty of old computerized systems still include them.
In order to connect these fuddy-duddy legacy devices to the Internet, their owners use small adapters called serial port servers, serial servers or terminal servers. Each serial server plugs into a serial port on one end, translates the port's signal and relays the signal out to a wider network, and finally to the Internet using an Ethernet, Wi-Fi or cellular connection.
What's more, serial port servers lack a number of security features that modern computer users have come to take for granted. For example, serial port servers have no automatic log-off, meaning if you sign in, then disconnect, you've left the server in its logged-in state. It's like leaving your back door unlocked — or even wide open.
[See also: 10 Things You Didn't Know Could Be Hacked]
H.D. Moore, chief security officer at Boston-based security-testing company Rapid7, reported at the InfoSec World Conference in Orlando, Florida that he's found approximately 114,000 exposed devices across multiple sectors.
"Internet-attached serial servers are exposing many organizations to attack through the combination of weak security capabilities and common user behavior," Rapid7 stated in its report FAQ.
The report illustrates just how widespread the vulnerability is, from a mining company who monitors the locations of its cargo trains to a national dry cleaning chain that handles confidential payment information. These companies and more all use serial port servers to remotely access their closed networks, and when they do, it's all too easy for hackers to follow.
"The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become," Moore wrote on Rapid7's blog.
Rapid7's findings come just months after earlier discoveries by the company prompted the U.S. government to release a security advisory regarding vulnerabilities in Universal Plug and Play, a common protocol used in home and office devices such as smart TVs, printers and storage drives.
Rapid7 has yet to turn up evidence of actual exploitation via serial port servers. But that doesn't minimize the risk. The firm's findings are drawn from analysis of Moore's critical.io project, a yearlong Internet scan that ran from February 2012 to March 2013.