Vulnerable terminal servers reflect bigger security problem

Security weaknesses uncovered in terminal servers used to provide an Internet connection to a wide variety of business and industrial equipment exemplify the risk inherent in adapting older systems to modern technology, experts say.

A recent study by the security firm Rapid7 found more than 114,000 terminal servers, mostly from Digi International or Lantronix, configured to let anyone gain access to the underlying systems. A terminals server, also called a network access server, makes any equipment with a serial port accessible through the Internet.

The systems found vulnerable to tampering included industrial control equipment, traffic signal monitors, fuel pumps, retail point-of-sale terminals and building automation equipment. A hacker scanning the Internet for the serial ports on these devices could easily use a command line program to gain administrative privileges and control the equipment.

The problem largely stems from companies failing to set up strong authentication measures. Rather than requiring a strong password, the equipment is left using the manufacturer’s default password — or no authentication at all.

While just setting up proper authentication would fix the problem in most cases, the reason why that does not happen is more complicated. For example, terminal servers are often added to heating, ventilation and air conditioning equipment and building security systems by a third-party or people within the organization other than IT security pros.

As a result, the latter may not even know the servers exist, said Matthew Neely, director of research at risk management company SecureState. Making matters worse, if the equipment is not properly inventoried, then the servers are soon forgotten.

In general, adding security to control systems, whether used in businesses or manufacturing, is difficult and often adds a layer of complexity that the underlying systems were not originally built to handle.

“There is often a tendency not to deploy [security] because it impacts functionality,” said Joe Weiss, a security consultant for Applied Control Solutions.

[Also see: U.S. seeking to build international unity around cyberdefense for industrial control systems]

Vendors also can add to the problem by marketing equipment as secured, when in reality they are just capable of being secured, which means the buyer has to add the necessary technology. Another scenario is the vendor will send equipment with all the security mechanisms turned off, leaving it to the buyer to turn it on.

“Without being flippant, a lot of times people don’t look, because the box says it’s secure, so they assume it is plug-and-play,” Weiss said.

A problem specific to terminal servers is often seen in electric utilities, he said. Federal cybersecurity requirements for the power industry exclude serial port servers, so they are often skipped by utilities, since the servers would not be on their compliance checklist.

“They don’t even have to look for these [servers],” Weiss said.

Security is often lacking in terminal servers because the majority of the devices were not built for use with critical industrial control systems (ICS) or other vital equipment. Therefore, experts recommend that such high-value hardware operate on a separate network, such as a virtual local area network, with a firewall between it and the corporate network.

While a VLAN would mean managing a separate network and set of credentials for administrators, the trouble would be far less than having the equipment compromised by a hacker, said Matthew Luallen, president and co-founder of CYBATI, which conducts classes in securing ICS.

“Administrative systems are high-value targets,” Luallen said. “Once somebody is in, they’re at admin privileges.”