March 21, 2013
Rogue Researchers Find Web Is A Very Unsecured Place
Michael Harper for redOrbit.com — Your Universe Online
Research isn´t always pretty. Sometimes some crude methods must be employed to find the real truth of the matter. For instance, a group of unnamed and informal researchers recently created a botnet to scour the web and look for unsecured devices.
What started out as a joke resulted in a good piece of data which reveals just how unsecured much of the web can be. The botnet was used to send out messages to random IP addresses and try to gain access to the devices by using only default passwords.
According to the research, there are an estimated 1.2 million devices connected to the Internet that are guarded only by the default password which shipped with the device. These devices include printers, routers, webcams and the like.
The unnamed researchers have made the results of this study freely and openly available in what they´re calling the “Internet Census 2012.”
According to the author-less paper, the research began as a joke, with a group of people wondering how many IPv4 devices they could hack into with the simple telnet “root:root” login. After performing a few quick scans, they realized it was much easier than they expected to find unprotected addresses.
Based on these quick, cursory searches, the hackers behind the research found that one in every thousand IP addresses was not secure. The team then created a binary code to run on these devices as a proof of concept.
As the aim of this code was to only conduct research, the team programmed the code to be unobtrusive, take up as little system memory as possible and stop working once it was done reporting back to the researchers. The researchers even included a .readme file with the code explaining their intentions in case someone were to find it on their system. This file even included a contact email address for these researchers.
“We had no interest to interfere with default device operation so we did not change passwords and did not make any permanent changes,” reads the Internet Census 2012 report.
“After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore. Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong,” the report says.
The hacking researchers then used this code to scour the web to look for recruits for their botnet. According to the report, these millions of unsecured devices reside all over the globe and aren´t restricted to one area or one ISP. This led the researchers to declare the problem as “an Internet and industry wide phenomenon.”
The team enlisted only 25 percent of the unsecured devices they found for their botnet, leaving them with 420,000 devices at their disposal. Each of these devices had been unlocked with only one of four default passwords.
The team named their botnet “Carna,” after the Roman goddess for the protection of the inner organs and health. The researchers note that Carna was later confused as the goddess of doorsteps and hinges, saying this seemed like an appropriate name for their botnet.
"While everybody is talking about high-class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world," say the unnamed authors of the report.
What´s more, the researchers found that there are many devices which ideally shouldn´t even be connected to the public Internet.
“As a rule of thumb, if you believe that 'nobody would connect that to the Internet, really nobody', there are at least 1000 people who did," reads the report.
"Whenever you think 'that shouldn't be on the Internet but will probably be found a few times' it's there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password," the report concludes.