Hackers may breach stoplights and gas pumps through vulnerable serial port systems, according to Rapid7. The security company warns thousands of systems are exposed to cyber-attacks because they connect to the Internet through insecure terminal servers.
More than 114,000 serial port systems are vulnerable, most belonging to Digi International or Lantronix, according to the company. Most of the servers access the Internet through mobile connections and 3G network cards, which makes their security hard to control. Besides traffic lights and fuel pumps, POS terminals and building automation systems are also easy to breach.
â€œFew organizations are aware that their equipment can be accessed through serial ports connected through mobile networks,â€ Rapid7 chief research officer H.D. Moore said. â€œIn some cases, the organization may assume that their specific mobile configuration prevents access from the internet, when that may not be the case. The wide use of mobile connections makes detection and response much more difficult.â€
One vulnerable terminal analyzed by Rapid7 provided direct Internet access to confidential payment information on a dry cleanerâ€™s server. Other systems monitored humidity and temperature in oil pipelines or controlled ventilation in office buildings.
The terminal manufacturers admitted they have the same concerns, and companies shouldnâ€™t only rely on terminal serversâ€™ security.
â€œMany of these devices being secured have small amounts of processing power or memory,â€ Digi International CTO Joel Young told Computer World. â€œRelying only on the security in the device can limit the security that can be implemented. We participate in many industry groups and forums on this topic.â€
Serial port servers, or terminal servers, allow remote access to the serial port of another device over TCP/IP. The devices also provide location tracking, monitoring and out-of-band access to network and power equipment in case of outage.
To prevent terminal servers from being hacked, companies should avoid passwords from the list of the scariest 2012 passwords. They should also choose non-default user names, authentication to access serial ports and encrypted services to access the devices.