OFFICIAL SECURITY BLOG
March 22, 2013 | BY Jérôme Segura
We often hear about botnets (networks of infected computers) being used to send out spam, perform Distributed Denial of Service attacks or other nefarious activities by the bad guys. Well, an unidentified researcher thought there was much more that could be done with a botnet and took on an unprecedented mission to map out the Internet by looking at how many single IP addresses were in use. An ambitious goal you might say, but considering the botnet was scanning billions of ports per hour, it provides a never-before seen view and “census” of the Internet IPv4 address space.
The researcher essentially probed the Internet for devices connected with either no password or default passwords (root/admin) and quickly (and illegally) built her own network which exceeded 400K clients and was dubbed the “Carna Botnet”. The devices were mainly routers but also printers and webcams. By loading her custom program into each of them, the researcher was able to leverage the volume required to scan the Internet for IPV4 addresses in a short amount of time. The results showed that 1.3 billion addresses were in use out of a pool of 4.3 billion IPs.
Whether we like it or not, our lives and homes are already wired to the Internet. Here is a short list of devices that can have an IP address and therefore be controlled remotely. Some are obvious and one would think acceptable while others are quite debatable:
As always, technology is evolving fast, much faster than what the majority of people are able to comprehend how it is going to impact their lives. While I love all things technology myself, I am concerned by the fact we are missing some very important stepping stones to get things done right. Manufacturers are very eager to embed micro computers into our appliances because they can market them as edgy and offer more features than their competitors. While manufacturers will always say they comply with such or such regulation, they have little interest in the security risks introduced by wiring everything we own and putting it all online.
As this study on scanning the Internet shows, most devices are shipped with default passwords that are not required to be changed and consumers aren’t aware of the dangers. Think about how many years it took (and it still taking) to educate people about malicious software, safe browsing habits, etc. Now go tell them their microwave just got hacked and is being used in a large scale attack to knock high-profile websites offline.
So how does it work?
Such devices often contain an embedded web server running a small Linux Operating System and can be accessed via the Internet (for example through the Telnet protocol) with only a username and password. The bad guys are scanning the Internet by IP ranges and trying to access anything left open. Think of this as if a burglar was going around the neighborhood checking each door until he finds an unlocked one. Because consumers open and plug the device as is (and manufacturers want to make their lives easier), the default passwords are often left unchanged for days, months or even years.
Is this threat real?
The “Internet census” conducted by the anonymous researcher revealed how easy it was to take over hundreds of thousands of devices. Interestingly enough, while doing his study, the researcher encountered a “competitor”, which turned out to be a bad guy who had created his own “truly” bad botnet (the Aidra botnet). The compromised devices reported their IP address to the botmaster via Internet Relay Chat (IRC) and a malicious script the author wrote was designed to shutdown the telnet server to prevent infection or takeover by others. You can read more on the technical details here. The infected devices could also be instructed to perform a TCP/UDP flood attack against a target. Now isn’t that lovely?
What to do?
Obviously, traditional security defenses and solutions such as antivirus are ineffective against these attacks because they run a layer below.
The first thing one can do is figure out how many devices they own are actually wired to the Internet, besides their PC. You might be surprised to discover that the printer you just bought could actually get infected! Who would have thought, all those years ago when unsavvy folks were scared that their monitors or keyboards could get infected with a virus… they weren’t too far from the truth after all…
In many cases, you will not need to have your printer or webcam to be directly connected to the Internet and by turning off/disabling that feature you are avoiding the issue altogether. Regardless, it is a good idea to still change the default username and password that came with the device. If you go around your house and look at the cable modems or routers from your Internet Service Provider, you will often notice a sticker on the side with the default parameters. Guess what? Your neighbors and millions of other people have the same ones and because almost nobody changes them the bad guys are having a blast going on harvesting new victims.
While new technologies often times make our lives easier and give us that ‘wow, that’s cool’ moment, we need to be careful not to embark on a journey where we forget the basic notions of security and privacy. Although I believe consumer awareness is important, it is not sufficient and let’s face it we should not put that burden on end users themselves because it is human nature to overshadow long term risks for short term enjoyment. Such devices should be built with better security to begin with, we should ban the use of permanent default passwords (simply force the user to change the password the first time the device is plugged in). Of course, this is easier said than done especially when the main concern for companies is ease-of-use and minimum frustration to install a new device or product.
Finally, the goal of this post is not to scare but rather shine some light on some little known and yet already in place aspects of technology whose purpose is to bring a better user experience. And knowing is half the battle.