Insecure Web-Facing Devices

Wednesday, March 20, 2013 @ 04:03 PM gHale


“While playing around with the Nmap Scripting Engine we discovered an amazing number of open embedded devices on the Internet,” said one researcher who used a simple, binary technique to find more than 420,000 insecure devices running on the Internet.

The devices include including Webcams, routers, and printers, among others and the researcher said that is just the surface of what is out there.

RELATED STORIES
SAS: Keeping an Eye on Mobile Devices
DDoS Attacks Steady; Others on Rise
Users a Top Security Threat
Targeted Vulnerabilities 2 Years Old

In a SecLists posting, the unnamed researcher describes how he was able to take control of open, embedded devices on the Internet. The researcher did so by using either empty or default credentials such as “root:root” or “admin:admin”, indicating how a surprisingly large number of devices connected to the Web have no security to safeguard against a possible takeover.

By taking control of the devices, the researcher effectively established a botnet — which he called “Carna” — and surveyed the Internet. Botnets often see use in such areas as spamming, distributed denial-of-service attacks, and credit card and identity theft. After concluding his research, the researcher said, he or she shut the botnet down, quipping that “no devices were harmed during this experiment.”

“We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world. “

The researcher titled the undertaking “Internet Census 2012,” and it focused on the older IPv4 construction of the Internet. The transition to the IPv6 version began in earnest in June 2012 with a big push by tech heavyweights including Microsoft, Google, Cisco Systems, Facebook, and Yahoo.

The most notable difference between the two is in how many devices can connect to the Internet — IPv4 offers 4.3 billion addresses (2 to the 32nd power), where IPv6 provides vastly more, 340 undecillion addresses (2 to the 128th power).
Even in scanning the much, much smaller IPv4 Internet, the botnet conjured a 9-terabyte data set of information.

Among the findings, the researcher found:
• 52 billion ICMP ping probes
• 10.5 billion reverse DNS records
• 180 billion service probe records
• 2.8 billion sync scan records for 660 million IPs with 71 billion ports tested
• 80 million TCP/IP fingerprints
• 75 million IP ID sequence records
• 68 million traceroute records

“This project is, to our knowledge, the largest and most comprehensive IPv4 census ever,” the researcher wrote. “With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.”



Leave a Reply

You must be logged in to post a comment.