Serial-to-IP Devices Hide Thousands of Old and New Bugs

Date: 2026-04-21 | Source: Dark Reading | Author: Jarvis by lilMONSTER​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​​​‍​​‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

Executive Summary

Serial-to-IP converters — the unassuming hardware that bridges legacy machine protocols to modern IP networks — are riddled with both decades-old vulnerabilities and newly discovered attack paths. Researchers have identified thousands of bugs across these devices, and exploitation is actively increasing. For Australian businesses running operational technology (OT) in manufacturing, utilities, building management, or critical infrastructure, this is a material risk that demands immediate attention.

Technical Analysis

What Are Serial-to-IP Devices?

Serial-to-IP converters are hardware gateways that translate industrial serial protocols (RS-232, RS-485, Modbus RTU, DNP3) into IP-routable traffic. They're the translators that allow a 1990s-era programmable logic controller (PLC) to report its status over a modern TCP/IP network — and eventually onto a SCADA dashboard or remote monitoring system.​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​​​‍​​‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌

‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

They're everywhere. Industrial plants, hospitals with medical equipment, utilities, building management systems, and data centres all rely on them. Because they're purpose-built hardware running stripped-down firmware, they rarely get patched — and they're often forgotten entirely by IT and OT teams who assume "that's the maintenance contractor's problem."

The Vulnerability Landscape

Researchers have documented several categories of weakness across these devices:

Legacy firmware vulnerabilities: Many devices ship with firmware from 2010-2015 that has never been updated. CVEs published years ago remain unpatched in production. Hardcoded credentials, unauthenticated management interfaces, and buffer overflows in serial parsing routines are among the most common findings.

New attack surface introduced by remote access features: Post-COVID, many organisations added remote access capabilities to OT environments to support work-from-home maintenance. Serial-to-IP converters that were previously only accessible via local network are now reachable from the internet — often with no additional security controls.

Protocol translation weaknesses: The conversion between serial and IP introduces its own attack surface. Malformed serial inputs can trigger IP-side crashes. Conversely, specially crafted IP packets can inject commands into the serial stream, affecting downstream devices that have no awareness of network-layer attacks.

Weak authentication throughout: Default credentials remain the primary entry point. Shodan and Censys scans consistently identify thousands of internet-exposed serial-to-IP devices accepting default admin credentials — many in APAC.

How Attacks Unfold

Threat actors targeting OT environments typically follow a progression: internet scanning identifies exposed management interfaces, default credential spraying gains initial access, firmware is examined for further vulnerabilities, and persistence is established. From a compromised serial-to-IP converter, attackers can issue commands to downstream PLCs and sensors, manipulate process data, or establish a persistent foothold in the OT environment for later-stage attacks.

The gap between IT-managed infrastructure and OT-managed devices means these compromises often go undetected. IT security tools don't monitor serial traffic. OT systems lack the logging granularity to detect injection attacks. Network segmentation between IT and OT is frequently incomplete.

What This Means for Australian Businesses

Australia's critical infrastructure sector — energy, water, manufacturing, healthcare — is heavily reliant on legacy OT. Under the Security of Critical Infrastructure Act 2018 (amended 2022), operators of critical infrastructure assets have mandatory security obligations. A compromised serial-to-IP device in a water treatment facility, power substation, or hospital is not a theoretical risk — it's a notifiable incident.

For SMBs and mid-market organisations with OT environments, the risk calculus is more practical: a compromised building management system or manufacturing floor is business interruption. It's insurance claims, regulatory scrutiny, and reputational damage.

Immediate actions:

  1. Inventory every serial-to-IP converter in your environment. Check manufacturer, model, and firmware version.
  2. Cross-reference against the vendor's current security advisories and firmware changelog.
  3. Change all default credentials immediately. If the device doesn't support credential changes, isolate it from internet-reachable network segments.
  4. Review network architecture: serial-to-IP devices should never be directly internet-accessible. Place them behind a properly configured industrial DMZ.
  5. If you cannot patch — which is common with end-of-life devices — implement compensating controls: network segmentation, unidirectional data gateways, and enhanced monitoring on the IT/OT boundary.

The Bigger Picture

The security debt in OT environments is enormous. Devices that were designed in an era where "security through obscurity" was the norm are now routinely internet-connected without the security controls that protect IT infrastructure. The economics of OT security make this worse: devices are expensive to replace, maintenance windows are scarce, and uptime requirements are extreme.

This research is a reminder that the attack surface is not static. Every time an organisation extends remote access, adds IoT connectivity, or integrates OT data into enterprise IT systems, the exposure increases. Security must keep pace.

Need Help?

If you run OT infrastructure and want to understand your actual exposure — not a theoretical risk rating, but a practical assessment of what's reachable and what's exploitable — book a consultation with lilMONSTER. We work with Australian businesses to bridge the IT/OT security gap with pragmatic, risk-based recommendations.

Source: Dark Reading — Serial-to-IP Devices Hide Thousands of Old and New Bugs

Jarvis by lilMONSTER | Intel Digest 2026-04-21 | lil.business

TL;DR

  • The U.S. government shut down a network of 3 million hacked devices — mostly routers and cameras — that were being controlled by criminals
  • These devices worked normally for their owners while secretly helping criminals attack other targets
  • Your office router, security cameras, and smart devices could be hijacked without you ever noticing
  • Simple steps like changing default passwords and updating device software can prevent this

What Is a Botnet?

Imagine someone figured out how to secretly mind-control thousands of toy robots. The robots still do their normal job — cleaning your room, playing music, whatever. But in the background, the controller can also make them do other things: spam your neighbors with junk mail, bang on someone's door all at once to keep them from opening it, or sneak around gathering information.

A botnet works the same way, but with real electronic devices. "Bot" means robot, and "net" means network. A botnet is a network of hijacked devices all controlled by one person or group. The devices — usually things like routers, security cameras, and smart home gadgets — still work normally for their owners. But they're also secretly following the commands of the bad guys.

What Happened?

The U.S. Department of Justice took down a botnet made up of about 3 million devices. These were mostly routers (the box that gives you WiFi), IP cameras (security cameras that connect to the internet), and other smart devices in homes and small businesses.

The criminals controlling these devices used them to:

  • Attack websites by flooding them with so much traffic they crash (called a DDoS attack)
  • Hide their identity by routing their internet activity through your device, so it looks like the bad activity is coming from your business
  • Scan for more victims to add to the botnet and make it even bigger

The owners of these 3 million devices mostly had no idea their equipment was compromised.

How Do Devices Get Hijacked?

Three main ways:

Default passwords. Many routers and cameras come with a pre-set password like "admin" or "password." If you never change it, it's like leaving your front door key under the mat — everyone knows where to look.

Old software that was never updated. Devices run software, and sometimes that software has holes in it. The manufacturer releases a fix, but if you don't install the update, the hole stays open. Bad guys know about these holes and specifically look for devices that haven't been updated.

Devices too old to get fixes. After a few years, manufacturers stop releasing updates for older devices. The device still works, but any new security holes that are discovered will never be fixed. It's like having a lock that the locksmith can't improve anymore.

Could This Be Happening to My Business?

If your office has a router that's been running for years without anyone checking it, a set of security cameras with factory-default passwords, or smart devices that have never been updated — then yes, it's possible.

The tricky part about botnets is that you usually can't tell your device has been hijacked. It still works. The internet still works. The cameras still record. Everything seems fine. The criminal activity happens silently in the background.

What Can You Do?

Change every default password. Log into your router, cameras, and any other smart devices. Change the admin password to something strong and unique. This is the single most effective thing you can do.

Update the software on your devices. Check the manufacturer's website for your router and cameras. If there's a newer version of the software (called "firmware"), install it. Set a reminder to check every few months.

Replace really old equipment. If your router is more than 5 years old, check if the manufacturer still supports it. If they've stopped releasing updates, it's time for a new one. A new router costs a fraction of what dealing with a security problem costs.

Put smart devices on a separate network. Most modern routers let you set up a "guest" network. Put your cameras, smart TVs, and other gadgets on the guest network so they can't directly reach your business computers. If a camera gets hijacked, at least it can't spread to your important stuff.

Turn off remote access if you don't need it. Many routers let you manage them from anywhere on the internet. Unless you specifically need this, turn it off. It's one of the main ways bad guys get in.

Think of your office devices like the locks and windows in a physical building. You wouldn't leave windows open and doors unlocked. The same principle applies to your digital equipment — a little regular maintenance goes a long way.

Not sure if your office devices are secure? lilMONSTER helps small businesses check their routers, cameras, and smart devices for security problems — and fix them before bad guys find them. Talk to us →

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] U.S. Department of Justice. "Justice Department Disrupts Botnet Used by Russia's GRU." DOJ Office of Public Affairs, 2024. https://www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian

[2] Cybersecurity and Infrastructure Security Agency (CISA). "Security Guidance for Critical Infrastructure." CISA, 2024. https://www.cisa.gov/topics/cybersecurity-best-practices/iot-security

[3] Australian Cyber Security Centre (ACSC). "Securing Internet of Things Devices." Australian Signals Directorate, 2023. https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-external-parties/internet-things

[4] Mandiant. "M-Trends 2024 Special Report." Google Cloud Mandiant, 2024. https://www.mandiant.com/resources/m-trends

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation