Vulnerable terminal servers could let bad guys hack stoplights, gas pumps

Industrial control systems, traffic signal controllers, fuel pumps are easily hacked via poorly configured serial port systems, Rapid7 says

Thousands of older systems, including those used to manage critical industrial control equipment, traffic lights, fuel pumps, retail point-of-sale terminals and building automation are vulnerable to tampering because they're insecurely connected to the Internet via terminal servers.

A terminal server, or a network access server, basically provides an easy way to connect any equipment that has a serial port to the Internet.

In a recent study, security firm Rapid7 found more than 114,000 terminal servers on the Internet configured in a way that could allow anyone to gain access to the underlying systems. Most of the systems were from Digi International and Lantronix, two leading manufactures of terminal server devices.

About 95,000 of those servers connected to the Internet via cellular mobile connections and 3G network cards, making them hard to protect, monitor and secure, according to H.D. Moore, the chief research officer at Rapid7 and the author of the study.

Among the systems was one responsible for monitoring humidity and temperature in oil pipelines, another designed to notify the public of emergencies and one used to control temperature and ventilation systems in a building. In one instance, the company discovered a terminal server that provided direct Internet access to confidential payment information contained in a server belonging to a national chain of dry cleaners.

The exposed systems run the gamut from corporate VPNs to traffic signal monitors, Moore said. In more than 13,000 cases, the terminal servers provided a way for anyone on the Internet to gain some form of administrative control of the attached device.

The problem largely involves how organizations configure terminal servers to connect to the Internet, Moore said. They can connect to the Internet via Ethernet, 3G and 4G wireless modems, GSM and satellite connectivity.

Terminal servers allow remote access to connected devices and allow administrators to manage a connected device, monitor it or to extract information from it. In some cases, terminal servers are used to provide an extra "out-of-band" way to access a system or network component in the event of disruption or outage.

Many organizations appear to be unaware of the security risks they face using terminal servers, Moore said, noting that they haven't paid enough attention to authentication measures to control access to the servers and connected systems.

For instance, while terminal servers support authentication, that authentication often applies only to the terminal server itself -- not to the attached serial port, he said. So organizations may have a mistaken sense of security over access to serially attached ports, he said.

Serial port enabled devices also often require users to actively log off a system once they are done. If a user fails to do so, the service console is left in an authenticated state and can be used by an attacker to take control, Moore said.

One port-enabled device uncovered during the research had remained in a fully authenticated state for more than 990 straight hours because an administrator failed to log off the system, he said.

In addition, terminal server devices often come with default passwords and backdoors that are left in place. Many of these systems also have weak or non-existent encryption technologies to protect communications, he said.

The fact that a large number of terminal servers connect via cellular and 3G networks means that they are outside a traditional firewall and, therefore, much harder to protect, he said.

Moore's recommendations for protecting terminal servers include the use of strong passwords and non-default user names, authentication to access serial ports and the use of encrypted services such as SSL and SSH to access the devices.

Joel Young, CTO of Digi International, said that the Rapid7 report highlights some of the same concerns Digi has about how terminal servers are configured.

"Moore is calling attention to an area that Digi is passionate about," Young said in emailed comments. "We participate in many industry groups and forums on this topic."

Young agreed with Moore's recommendations and urged companies not to rely just on the security in terminal servers to protect access to systems. "Many of these devices being secured have small amounts of processing power or memory. Relying only on the security in the device can limit the security that can be implemented," he said.

Daryl Miller, vice president of engineering at Lantronix, said that the company's products offer a robust set of authentication and encryption protocols as well as guidance on how to use them. In addition, all of the company's products support an automatic time-out feature that automatically shuts down a remote session after a predetermined period of inactivity.

Given those controls, it's "quite amazing how many customers are still leaving things wide open" through improper configuration, he said. "We encourage them to make sure they are taking appropriate steps to enable encryption and authentication."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies