Serial-to-IP converters are affected by potentially serious vulnerabilities that can expose operational technology (OT), healthcare, and other types of systems to remote attacks.
Serial-to-IP converters, also known as serial device servers, are hardware devices that bridge legacy serial equipment to modern Ethernet/IP networks, allowing old industrial control systems (ICS) and other OT devices to communicate remotely.
Researchers at network security and threat detection company Forescout Technologies have analyzed these devices and found numerous vulnerabilities that could be valuable to threat actors.
Serial-to-IP converters are used in sectors such as industrial, telecoms, retail, healthcare, energy and utilities, and transportation. The devices are made by several major companies, including Moxa, Digi, Advantech, Perle, Lantronix, and Silex.
Some of these vendors have reported deploying millions of devices, and a Shodan search shows nearly 20,000 internet-exposed systems worldwide.
“Using open-source intelligence (OSINT), attackers can find details about some of these devices, including internal IP addresses, model and vendor names, and photographs from electrical substations, water treatment plants, and other critical infrastructure environments,” Forescout researchers explained.
In addition to internet-exposed devices, attackers could target serial-to-IP converters on local networks, which can be compromised via vulnerabilities or misconfigurations in edge devices such as routers and firewalls.
Forescout’s research, which focused on Silex and Lantronix devices, led to the discovery of 20 new vulnerabilities across the two vendors’ products, including weaknesses that can be exploited without authentication.
The vulnerabilities, collectively tracked as BRIDGE:BREAK, can be exploited for OS command injection and remote code execution, firmware tampering, denial-of-service (DoS) attacks, and device takeovers.
Some of the flaws can allow attackers to upload arbitrary files, bypass authentication, and obtain information.
Forescout researchers showed the potential impact of these vulnerabilities in real-world environments. They demonstrated how an attacker could exploit the flaws to tamper with data, for instance, manipulating sensor readings in industrial and healthcare environments to conceal dangerous conditions that would normally require human intervention.
In another scenario, the researchers described how an extortion group or a state-sponsored threat actor could cause a DoS condition in a healthcare environment by delivering malicious firmware to devices.
“Once activated, the weaponized firmware could cause serial-to-IP converters to stop responding on the network. Potential impacts include: analyzers stop reporting results to laboratory information systems, creating processing backlogs; surgical lighting controllers become unresponsive to remote commands; infusion pump calibration and certification workflows are halted; telemetry from environmental sensors is interrupted; Patient monitors lose network connectivity,” the researchers explained.
Lantronix and Silex have both been notified and they have released patches. The cybersecurity agency CISA recently published an advisory describing the Lantronix vulnerabilities. Silex has published an advisory on its own website.
It’s important for organizations not to ignore the risks posed by the use of serial-to-IP converters, as these devices have been targeted in the wild. They were targeted by Russian hackers in the 2015 Ukraine energy attack and, more recently, in attacks targeting energy facilities in Poland.
Forescout will publish a report detailing the BRIDGE:BREAK vulnerabilities on Tuesday, April 21.
Related: Lantronix Device Used in Critical Infrastructure Exposes Systems to Remote Hacking
Related: 1,000 Instantel Industrial Monitoring Devices Possibly Exposed to Hacking
