What 420,000 insecure devices reveal about Web security
Using a simple technique, a researcher creates a benign botnet to survey the breadth of the Internet, and finds a back door flung wide open and beckoning the bad guys.
A researcher used a simple, binary technique to take control of more than 420,000 insecure devices including Webcams, routers, and printers running on the Internet -- and says that's just a hint of the potential for real trouble to get started.
In a SecLists posting yesterday, the unnamed researcher describes how he was able to take control of open, embedded devices on the Internet. The researcher did so by using either empty or default credentials such as "root:root" or "admin:admin", indicating how a surprisingly large number of devices connected to the Web have no security to safeguard against a possible takeover.
By taking control of the devices, the researcher effectively established a botnet -- which he called "Carna" -- and surveyed the Internet., such as spamming, distributed denial-of-service attacks, and . After concluding his research, the researcher said, he or she shut the botnet down, quipping that "no devices were harmed during this experiment."
And in a low-key way, the researcher warned of the dangers revealed in his exploration:
We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world.
A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did. Whenever you think "that shouldn't be on the Internet but will probably be found a few times" it's there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.
The researcher titled the undertaking "Internet Census 2012," and it focused on the older IPv4 construction of the Internet. Thebegan in earnest in June 2012 with a big push by tech heavyweights including Microsoft, Google, Cisco Systems, Facebook, and Yahoo. The most notable difference between the two is in how many devices can connect to the Internet -- IPv4 offers a relatively meager 4.3 billion addresses (2 to the 32nd power), where IPv6 provide vastly more, a nearly incomprehensible 340 undecillion addresses (2 to the 128th power).
Even in scanning the much, much smaller IPv4 Internet, the botnet conjured a 9-terabyte data set of information.
Among the findings, the researcher found 52 billion ICMP (Internet Control Message Protocol) ping probes and 10.5 billion reverse DNS (domain name system) records. There were also 180 billion service probe records.
"This project is, to our knowledge, the largest and most comprehensive IPv4 census ever," the researcher wrote. "With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible."
As important as the census data might be to some, the research highlights a very important security concern: It appears quite easy for insecure devices to be compromised. And although in this case they were used for good, it wouldn't be that difficult for someone to take a much more dangerous path.
It's a potential for trouble that is quite far-reaching.
"As could be seen from the sample data," the researcher wrote, "insecure devices are located basically everywhere on the Internet. They are not specific to one ISP or country. So the problem of default or empty passwords is an Internet and industry wide phenomenon."
Correction March 19 at 8:11 a.m. PT: Due to an editor's error, this story mistakenly attributed the Internet Census 2012 to Gordon Lyon, who runs SecLists.org. The Internet Census posting was by an unnamed researcher, not Lyon.