A researcher scoured the Internet and harnessed the power of 420,000 devices connected to identify 1.2 million unique unprotected devices. Devices included Webcams, routers, and printers.
The researcher, who posted on the SecLists mailing list Sunday under the name "internet census," described taking control of open devices by using empty or default login credentials such as "root:root" and "admin:admin." After finding these devices, the researcher created a botnet, dubbed "Carna," which acted as a distributed port scanner to scan the IPv4 address space and found about 1.2 million unique devices on the Internet.
From March to December 2012, the researcher scanned service probes for commonly used ports, ping requests, reverse DNS and SYN scans. After completing the scan, the researcher claims to have shut down the botnet and released the devices.
"No devices were harmed during this experiment," the researcher wrote.
Mark Scholesser, a security researcher from Rapid7 took exception to the methods used in the research. The way the data as collected is "highly illegal in most countries," Schloesser told SecurityWeek, noting that using insecure configurations and default passwords to gain access to remote devices and run code on them was "unethical." Taking precautions to not interfere with the device's normal operations "doesn't make it OK," he said. Even so, the research itself was noteworthy as the "most comprehensive Internet-wide scan," Scholesser said. This kind of research could also raise awareness of real security and configuration issues affecting people, and more projects of this kind, conducted legally, would be helpful, he said.
Many of the devices corralled into Carna were based on Linux and allowed login with empty or default credentials, according to write up of the project. Along with consumer routers and set-top boxes, the researcher found insecure devices such as IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, and networking equipment from Cisco and Juniper Networks.
A lot of the devices should never have been connected directly to the Internet but should have been behind a firewall or some other network layer. The researcher began with the classic telnet login, "root:root" on random IP addresses, not realizing that thousands of unprotected devices on the Internet accepted that username and password combination.
"As a rule of thumb, if you believe that 'nobody would connect that to the Internet, really nobody,' there are at least 1000 people who did," the researcher wrote.
With the Carna botnet in place, the researcher was able to send ping requests to every IP address in the IPv4 address space, perform reverse DNS lookups, run Nmap scans, look for common service probes, and execute the traceroute command, to perform a "census" of all IPv4 devices on the Internet. According to the "Internet Census," there were 420 million IP addresses which responded to ping requests, and 36 million more with one or more ports open. About 141 Million IPs were firewalled and could count as "in use," according to the project paper. Another 729 Million more IP addresses had reverse DNS records. All this added up to 1.3 billion IP addresses in use, according to the project, with the remaining 2.3 billion addresses showing "no sign of usage."
Rapid7's Schloesser noted that this kind of research reveal the "real state of play" on the Internet and was similar to the current Critical.io project by HD Moore. Moore had found 50 million network-enabled devices that were exposed and at risk to compromise because of an error in how the universal plug-and-play protocol was being used.
"While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world," the researcher wrote on the project page.