Terminal Flaws May Help Hackers Breach Stoplights, Gas Pumps
Hackers may breach stoplights and gas pumps through vulnerable serial port systems, according to Rapid7. The security company warns thousands of systems are exposed to cyber-attacks because they connect to the Internet through insecure terminal servers.
More than 114,000 serial port systems are vulnerable, most belonging to Digi International or Lantronix, according to the company. Most of the servers access the Internet through mobile connections and 3G network cards, which makes their security hard to control. Besides traffic lights and fuel pumps, POS terminals and building automation systems are also easy to breach.
“Few organizations are aware that their equipment can be accessed through serial ports connected through mobile networks,” Rapid7 chief research officer H.D. Moore said. “In some cases, the organization may assume that their specific mobile configuration prevents access from the internet, when that may not be the case. The wide use of mobile connections makes detection and response much more difficult.”
One vulnerable terminal analyzed by Rapid7 provided direct Internet access to confidential payment information on a dry cleaner’s server. Other systems monitored humidity and temperature in oil pipelines or controlled ventilation in office buildings.
The terminal manufacturers admitted they have the same concerns, and companies shouldn’t only rely on terminal servers’ security.
“Many of these devices being secured have small amounts of processing power or memory,” Digi International CTO Joel Young told Computer World. “Relying only on the security in the device can limit the security that can be implemented. We participate in many industry groups and forums on this topic.”
Serial port servers, or terminal servers, allow remote access to the serial port of another device over TCP/IP. The devices also provide location tracking, monitoring and out-of-band access to network and power equipment in case of outage.
To prevent terminal servers from being hacked, companies should avoid passwords from the list of the scariest 2012 passwords. They should also choose non-default user names, authentication to access serial ports and encrypted services to access the devices.