Security researcher HD Moore announced earlier this week that Internet scans he had performed turned up 114,000 serial devices attached to the Internet, nearly all of which are either poorly secured or not secured at all. Since his initial announcement, Moore has added a group of modules that scan for such devices to theMetasploit penetration testing framework, which he created in 2003.
Specifically, Moore reported that: "Over 95,000 of these systems were exposed to the Internet through mobile connections such as GPRS, EDGE and 3G. Another 14,000 unique IPs were identified running Digi, or Digi-based devices using Digi's proprietary Advanced Device Discovery Protocol (ADDP). FTP and telnet banners identified another 8500 devices as either Digi or Lantronix boxes."
In an online FAQ that accompanied a blog posting on the subject, Moore said: "Serial servers act as a glue between archaic systems and the networked world." Historically, they are old-school gear used to connect a mainframe computer to an Ethernet network. Users could then access the mainframe remotely via the telnet utility.
There's not too much telneting into VAX computers going on these days, but the basic principle of being able to connect to a device through a serial port and a terminal server still has plenty of uses. A primary use is placing a serial port on a network device so it can be configured for use. Since it can't be configured over the network (the point of the configuration, after all, is to make it see the network), you can plug into the serial port and configure the device in terminal mode.
So there are plenty of serial devices out there, made principally by Digi International and Lantronix. Moore said thousands of the devices will interact across the network without requiring authentication. These devices are connected to real-world devices such as traffic lights and fuel pumps, and are in tracking devices used to monitor the locations of those big flashing highway signs that alert motorists to upcoming road repair sites.
There is, Moore said, a national chain of dry cleaners that uses these devices to access the point-of-sale systems at each location. Serial port devices used by the chain provide direct access to employee terminals containing confidential payment information.
While the devices Moore found are largely unsecured, in many cases, there are ways to considerably improve their defenses. Asked in a telephone interview whether users should replace their serial devices, Moore said they "don't necessarily need to replace these devices. With many of the devices, especially the newer devices from Digi, the device supports Secure Shell transport. Once you authenticate, it drops to the serial port. It's a straightforward way to secure these things, but no one happens to be using it," Moore said.