Embedded device manufacturers have been warned for ages about the risks of making networking, telecom and critical infrastructure gear reachable online, worse yet, leaving default credentials in place for authenticating to those devices.
Clearly, most are not listening.
An Australian researcher with access to the data collected by the Carna botnet, also known as the Internet Census 2012, enumerated and analyzed devices exposed to the Internet in the IPv4 address space and found a number of troubling trends.
While hundreds of thousands of devices discovered by the botnet were manufactured by just 15 companies, there are still 2,099 unique device builders with vulnerable devices sitting on the Internet with default credentials still enabled. The vast majority of compromised devices were built by Chinese manufacturers (720,141 or 56 percent) with Hong Kong and Turkish builders (7 percent each) the next biggest offenders. China’s ZTE Corp., was far and away the biggest offender with 353,436 devices accounting for 27 percent of the devices discovered.
ZTE was singled out, along with fellow telco manufacturer Huawei, by the U.S. House Intelligence Committee as security threats and cautioned American companies not to do business with these manufacturers.
“It seems to indicate that there is a manufacturing problem somewhere with these very few companies that are making devices that are vulnerable by default. I think it’s strongly necessary to force manufacturers to alter their habits and make devices that are secure by default,” said Parth Shukla, a researcher with Australia’s AusCERT.
Shukla said he is the only person aside from the anonymous researcher behind the Internet Census 2012 to have access to the full Carna data set. “Perhaps government and consumer pressure might be required to accomplish this as I am not getting much response from them in my attempts to collaborate with them with regards to this issue,” he said.
The creator of the Internet Census 2012 used a botnet of more than 1.3 million devices to conduct a full scan of allocated IPv4 addresses. The creator then developed a binary that was uploaded to the insecure devices found during the scan. The binary included a telnet scanner that would fire different default login combinations at the devices such as root/root or admin/admin, or would attempt to access devices without a password.
“We deployed our binary on IP addresses we had gathered from our sample data and started scanning on port 23 (Telnet) on every IPv4 address. Our telnet scanner was also started on every newly found device, so the complete scan took only roughly one night. We stopped the automatic deployment after our binary was started on approximately thirty thousand devices,” the anonymous researcher said in his paper. “The completed scan proved our assumption was true. There were in fact several hundred thousand unprotected devices on the Internet making it possible to build a super-fast distributed port scanner.”
The scan quickly located hundreds of thousands of devices including consumer routers, IPsec routers, BGP routers, industrial control systems and enterprise-grade networking gear. The researcher said he ignored any traffic going through the devices, nor did he port scan any LAN devices.
Shukla told Threatpost he has not had much success communicating with manufacturers and getting them to understand the severity and depth of the issue. He said he has offered to provide each manufacturer with a sanitized version of the data that applies to them
“I think this highlights a very worrying trend that manufacturers don’t care about security and there is nothing currently we can do to make them care,” Shukla said. “They create vulnerable devices by default and it doesn’t bother them. I’m not even sure if they are aware of this or not.”
The security of embedded devices and the insecure practice of not removing default credentials is a huge issue, in particular with SCADA and industrial control system equipment. Already since the release of the initial Internet Census 2012 data in March, malware known as LightAidra appeared on the scene and is responsible for several botnets that are designed to search for telnet ports and attempt to compromise them with default credentials, Shukla said.
Shukla and AusCERT have provided data to particular country CERTs worldwide and invites other organizations to contact AusCERT.
“ISPs and resellers of these devices also need to play a critical role in ensuring that vulnerable devices are not resold by them to their customers which can place their own networks in jeopardy upon infection,” Shukla wrote in his paper. “Once infected, a device can have a negative impact on network performance for ISPs and as such an incentive to not sell these vulnerable devices should be plainly obvious.”