

Serial Port Scans Find More Than 100,000 Hackable Devices - christianbryant
http://www.forbes.com/sites/andygreenberg/2013/04/23/researchers-serial-port-scans-find-more-than-100000-hackable-devices-including-traffic-lights-and-fuel-pumps/

======
jlgaddis
I remember freaking out when I first read HDM's post on the Digi devices[0]
because I have a ton of the Digi devices deployed at electrical substations
for a customer (electric utility). They are connected to the cellular networks
and have public IP addresses.

Fortunately, I was rewarded for being paranoid and doing everything I could to
lock these devices down pre-deployment as none of them were vulnerable to
these attacks. It was certainly a stressful day as I checked each of them one
by one, though.

[0]:
[https://community.rapid7.com/community/metasploit/blog/2013/...](https://community.rapid7.com/community/metasploit/blog/2013/04/23/serial-
offenders-widespread-flaws-in-serial-port-servers)

~~~
daemon13
What are the typical use cases for Digi and similar devices?

~~~
jlgaddis
In my case, it's to provide IP connectivity where it is otherwise not
available.

I'm using the devices shown in the bottom of the picture at
[http://www.digi.com/products/wireless-routers-
gateways/routi...](http://www.digi.com/products/wireless-routers-
gateways/routing-gateways/digiconnectwanfamily)

These electrical substations are in the "middle of nowhere". We can't exactly
call up the cable or telephone companies and get an Internet connection
installed. Fortunately, cellular service _is_ available, even though it is
extremely slow in some of these locations.

The devices are, at their most basic, cellular routers -- a LAN port on one
side connects to the industrial equipment equipment and the device connects to
the cellular network to give them Internet access. An IPSec VPN from the
device back to the utility's office provides a connection to their management
software so that they can communicate with the industrial equipment.

The industrial gear is "smart". Need to disconnect a customer because they
didn't pay their bill? Send out a digital message and their electricity gets
shut off. Huge storm roll through the area? They can quickly see how many
customers -- and where -- are without power.

IP connectivity to the industrial equipment means they can control everything
from their main office and not have to do a "truck roll" for every service
change and such, saving them tons of time and money.

------
devicenull
Seems like every 6 months someone discovers SHODAN and we get another article
like this.

~~~
cnlwsu
its a 3 month old article, so its good to be reminded mid-next-article

~~~
christianbryant
True, though "old" articles like this are interesting reads as case studies.
When you analyse how many times these type of discoveries occur and then
trend, it offers both sides of the camp interesting data.

------
shortsightedsid
UART or Serial Port is the first thing that you need when developing embedded
systems. It is simple, easy to hook up to your Laptop (via USB Serial
convertors). With terminal emulators like Teraterm, Putty (or the nefarious
Hyperterminal) or Minicom, you can get to see what's happening on the device.

1\. All devices running linux will have /dev/console tied to UART.

2\. For others, typically a printf routine would write to UART.

The problem the article talks about occurs when the OEM "forgets" to turn off
the UART (either in software or just by breaking the pins during
manufacturing).

~~~
csense
> The problem the article talks about occurs when the OEM "forgets" to turn
> off the UART (either in software or just by breaking the pins during
> manufacturing).

Did you read the article? He's not hacking commercial/industrial devices like
gas pumps by driving to a gas station and using a USB-serial adapter to
physically attach a laptop or smartphone.

Rather, the owners of the gas pumps legitimately attached a serial-to-Ethernet
translator themselves to allow applications on their TCP/IP network to control
the gas pump hardware. But they didn't secure the connection with an effective
firewall or authentication requirement, so now not just the legitimate
application, but anyone on the public Internet, can send commands to the pump.

