Exposed Devices Used as Botnet to Scan Internet

A controversial Internet scanning project has come under fire for illegally accessing and running code on remote machines. The Internet Census 2012 project, revealed Sunday in a post to Seclists.org, discovered 420,000 embedded devices accessible using default credentials. The unnamed researcher behind the project then used the devices as a botnet to scan most of the IPv4 address space.

A controversial Internet scanning project has come under fire for illegally accessing and running code on remote machines. The Internet Census 2012 project, revealed Sunday in a post to Seclists.org, discovered 420,000 embedded devices accessible using default credentials. The unnamed researcher behind the project then used the devices as a botnet to scan most of the IPv4 address space.

Although the researcher said in a paper that no changes were made to any of the devices and all were returned to their original state after a reboot, the project is drawing the ire of the security community.

“While the Internet Census 2012 provides interesting data, the way it was collated is highly illegal in most countries,” said Mark Schloesser, security researcher at Rapid7 in a statement. “Using insecure configurations and default passwords to gain access to remote devices and run code on them is unethical, and taking precautions to not interfere with any normal operation of the devices being used doesn’t make it OK.”

Rapid7 CSO and Metasploit creator HD Moore’s Critical.io project is a similar large-scale scan of the Internet looking for vulnerabilities in equipment provided by ISPs to customers. Out of this legitimate data-collection project came the exposure of serious Universal Plug and Play (UPnP) vulnerabilities affecting 50 million systems.

The creator of Internet Census 2012 developed a binary that was uploaded to the insecure devices found during the scan. The binary included a telnet scanner that would fire different default login combinations at the devices such as root/root or admin/admin, or would attempt to access devices without a password. The binary also included a manager that would provide the scanner with IP address ranges and then upload them to an IP address.

“We deployed our binary on IP addresses we had gathered from our sample data and started scanning on port 23 (Telnet) on every IPv4 address. Our telnet scanner was also started on every newly found device, so the complete scan took only roughly one night. We stopped the automatic deployment after our binary was started on approximately thirty thousand devices,” the researcher said in his paper. “The completed scan proved our assumption was true. There were in fact several hundred thousand unprotected devices on the Internet making it possible to build a super-fast distributed port scanner.”

The scan quickly located hundreds of thousands of devices including consumer routers, IPsec routers, BGP routers, industrial control systems and enterprise-grade networking gear. The researcher said he ignored any traffic going through the devices, nor did he port scan any LAN devices.

“[I] used the devices as a tool to work at the Internet scale,” the paper said. “[I] did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users.”

The researcher said the binary was uploaded to 420,000 devices, about one-quarter of the number of unprotected devices found during the scan.

“The actual research itself is noteworthy in that it is the most comprehensive Internet-wide scan. I’m still reviewing the findings, but so far nothing mind-blowing has leapt out at me,” Rapid7’s Schloesser said. “Generally this kind of research raises awareness of the real security and configuration issues affecting people, and hopefully helps them identify areas for action. I’d like to see more projects of this kind, conducted legally, and sharing information about the real state of play on the Internet.”

The botnet, dubbed Carna by the researcher, ran from March through December of last year. Its intent wasn’t malicious, and the researcher said there was no interest in interfering with the devices or how they operated.

“Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong,” he said, adding that the scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds. “We also uploaded a readme file containing a short explanation of the project as well as a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project.”

Suggested articles