Search engines such as Shodan show close to 20,000 internet-exposed serial-to-Ethernet converters, though the number of such devices deployed within networks is likely in the millions, as they are used across many industries. But even when they are not directly connected to the internet, attackers can still reach such devices after breaking into internal networks through a variety of other initial access vectors.
Because serial protocols often lack authentication or encryption “attackers may alter serial data received from a sensor as it moves into the IP network,” the researchers said. “For example, changing temperature, pressure, humidity, flow, patient heart rate readings to arbitrary values. Conversely, attackers may modify commands traveling from the IP network to the serial side before they reach an actuator. For example, changing the speed or direction of a servo motor.”
Serial-to-IP converters have been targeted in real-world attacks against critical infrastructure in the past. For example, in a 2015 cyberattack that disrupted power distribution at several power substations in Ukraine, attackers loaded corrupted firmware onto Moxa serial-to-IP converters via the firmware update function.
