Thousands of serial servers connected to the internet aren’t password protected and lack encryption, leaving data that transfers between them and devices they’re connected to open to snooping, experts warn.
To make matters worse, the servers, manufactured by Taiwan-based networking device company Moxa, have had shoddy security for a while, according to researchers at Rapid7.
Joakim Kennedy, a researcher with Rapid7 disclosed several flaws in the servers via an advisory Thursday, including some vulnerabilities the company initially reported to the Moxa back in 2013 that still linger in the products. Kennedy claims a handful of servers the company makes are unprotected, but that Moxa’s NPort 5100 series of servers are the biggest culprit here. Since users aren’t required to set a password for them, many don’t, and simply configure them via a web interface and a TELNET.
That means if an attacker wanted to connect to a server, something that’s become increasingly easy, especially in the age of Shodan, they could. After doing so, attackers have access to a slew of settings, including the ability to change the servers’ password, along with DIO, operating, and accessible IP settings.
The company detected at least 5,000 web servers fingerprinted as Moxa devices and 2,200 devices, 46 percent of which aren’t password protected, that can be reached through the internet. While the bulk of the devices are in Russia and Taiwan, some are based in the U.S. and Europe. Since serial servers can be connected to things like medical devices, point of sale systems, and industrial apps to allow for remote administration, the lack of security is extremely concerning, Kennedy stresses.
“Securing legacy hardware is still very difficult, and this how not to do it. Security is being compromised for convenience, and consumers are, in many cases, just using the default settings. The easier you make it for yourself to connect, the easier you make it for the attacker,” Kennedy said.
With that in mind Kennedy is encouraging users to never directly connect devices using the serial servers to the internet. “If remote access is required, and since these devices do not offer encrypted traffic, connect the serial servers to a local network which can only be accessible via, for example, a VPN,” Kennedy wrote, “Also, restrict the IPs which can connect to the serial device, and don’t forget to password protect the admin consoles.” It’s unclear when or if Moxa plans on addressing the issues.
The company responded to Rapid7’s initial disclosure back in January when Kennedy found the issues, but didn’t engage further. “The response was pretty quick initially, but we didn’t hear anything back after the detailed disclosure,” Tod Beardsley, security research manager at Rapid7, told Threatpost Thursday.
According to Heiland, who also wrote up an advisory on the vulnerability, if exploited an attacker on the local network could modify the systems configuration, compromise data, take control of the product, and launch attacks against the users’ hosts system. Heiland discovered the bug, along with a collection of insecure direct object references that lets attackers view the HTML of web pages related to the product, shortly after the New Year and disclosed it to both the ManageEngine and CERT.