InfoSec 2013: Thousands Of Open Servers Leave Critical Government Systems Vulnerable

Researchers find oil and gas systems, medical devices and naval ships could all be manipulated thanks to over 100,000 serial servers

Over 100,000 servers used for remote access into systems managing critical infrastructure have been left open to outsiders, threatening the safety of oil plants, nuclear facilities and even military ships, researchers warned today.

They claim weak security in the affected servers could be used to cause real world damage to the electricity grid or give ships false information to cause real world, destructive damage. There has only been one known destructive cyber attack of this kind in history – when Stuxnet malware infected control systems at a uranium enrichment facility in Iran, setting back the country’s nuclear programme by sending centrifuges crazy.

But such attacks might not be so hard to pull off. At InfoSec 2013 today, researchers from security firm Rapid7 told TechWeekEurope they have found it easy to access and toy with critical systems,

Mitsubishi Heavy warship topSerial server ship shocker

The vulnerable machines are known as serial servers, which are used widely in industrial, transportation and point of sale systems to connect to critical devices not hooked up to the public Internet. Thanks to lax authentication on many of the 120,000 affected servers, attackers could interact with them over public protocols, including telnet, HTTP, SSH  and TCP.

But the biggest problems lay in devices that could be accessed over Simple Network Management Protocol (SNMP) or Advanced Device Discovery Protocol, a proprietary protocol developed by Digi International. Rapid7 has contacted the relevant device manufacturers to warn them.

There should be an “air gap” between critical systems and the public Internet, but thousands of serial servers were easily discoverable on the public Internet, using the freely-available Internet Census and search tools such as Shodan.

Claudio Guarnieri, researcher at Rapid7, showed TechWeekEurope how he was able to use the vulnerabilities to track nation state-owned ships, including those belonging to the military and law enforcement, and various other vessels. He could determine what kind of ship they were, and if they were part of a naval fleet, whilst a malicious hacker could send false radar information to the crew, potentially causing carnage.

He was able to track 34,000 boats, and acquired the information with just four hours of work. “This is stuff that was used by boats  originally to not crash into each other… it provides geolocation information,” Guarnieri added.

But there was also evidence oil and gas supply monitoring could be manipulated, potentially causing real-world damage by altering readings to trick those running the systems to make changes where none are needed. SCADA systems, like those Stuxnet compromised, were found hooked up to a large number of vulnerable serial servers.

“There were some gas centres where the temperature could be increased… it’s really scary stuff,” Guarnieri said. He claimed the researchers found one city where power grid sensors could be accessed and “completely shut down”.

HD Moore, Rapid7’s chief, found a case where he could heat up oil and gas lines to 150C, threatening the stability of that infrastructure.

Medical device monitoring could also be played with, threatening hospital systems. Drips or pumps could be hacked, placing lives at risk, Rapid7 said. Petrol pumps could even be compromised.

The problems lie in authentication for those serial servers. “Some of them have no authentication, or very weak authentication,” Guarnieri said. “In most cases, it’s because of misconfiguration from the users.”

Many keep default passwords or don’t use any at all for convenience. But it’s placing their systems at much greater risk of attack.

UPDATE: Digi got in touch with TechWeek following the report, saying they agreed with Rapid7’s assessment it was not the technology at fault, but customers’ implementation of it. However, they said HD Moore had not been in touch to talk about the research.

“We are reaching out to Mr Moore to see if there are things we can learn from his efforts, or ways to partner with him to educate Internet of Things (IoT) implementers,” said Joel Young, CTO of Digi.

What do you know about Internet security? Find out with our quiz!