The Internet of unsecured Things Part 2

A port server configuration screen

A port server configuration screen

Set a strong password and non-default username!

This mantra is so corny that I should not mention it at all. However, there is a new twist to it:

Last week HD Morgan (the creator of Metasploit) presented his findings about vulnerabilities of serial port servers at the InfoSec Southwest 2013 conference.

Serial port or terminal servers provide TCP/IP connectivity for devices with serial (i.e. RS232, RS485 etc.) or sometimes non-serial (i.e. GPIO) interfaces.  They are widely used to provide remote and out-of-band access to non-networked equipment, for example in industrial automation and environmental monitoring.

Configured properly a modern port server allows the setup of secure point-to-point connections (for example via SSH / SSL) between one or more (serial) interfaces and the network-connected remote hosts.

Recently I used such a device (e.g. a 4-port server from Digi International) to connect some legacy RS232 devices to a LAN.  However, it took some time to explore and evaluate all the available configuration options and security settings the port server offers.

This complexity might explain some of HD Morgan’s findings and recommendations (bar the one above).

In his research he pentested a large number of actually deployed port server systems he previously found via Shodan and the Internet Census 2012. Many of them showed significant weaknesses in their configuration and security settings, effectively allowing him to access the serial devices behind the port servers.

Based on his findings he made a number of recommendations regarding the proper configuration of port servers. Some of them are trivial or straight-forward, i.e.

  • Set a strong password and non-default username (sic!).
  • Only use encrypted management services (SSL/SSH).
  • Enable remote event logging.
  • Audit uploaded scripts.
  • Require authentication to access serial ports.

2 of them however caught my eye – I must admit I never thought of them:

  • Scan for and disable ADDP (Advanced Device Discovery Protocol) in order to make device discovery harder.
  • Enable inactivity timeouts for serial consoles to avoid session highjacking.

HD Morgan concluded his report as follow: “The sheer number of critical, bizarre, and just plain scary devices connected to the internet through serial port servers are an indication of just how dangerous the internet has become.

I think there is nothing else to add.

Speak Your Mind

*