The state of embedded device security is poor, and there hasn’t been much in the way of discussion to the contrary. It’s well established that vendors skimp on security, selling for example, routers and other networking gear protected only by default passwords, or other critical devices engineered to be accessible with a simple telnet command. These actions pose an enormous risk to the infrastructure supporting those devices, leaving them open to attack by hackers. Those vulnerabilities can lead to data loss, network performance degradation, or worse put lives in danger if critical services such as water or power are impacted.
For Metasploit creator HD Moore, this was a call to action. Moore has invested serious time into examining data from previous scans of the IPv4 address space looking for equipment exposed by shoddy default configurations and other vulnerabilities. His own Critical.io project, along with the Internet Census 2012, the Carna botnet and a host of academic and research tools that scan the Internet and return bulk data on device exposures has done plenty to shine a harsh light on the risks these Web-facing devices.
But Moore believes there is plenty of room for additional analysis. He’s advanced his work by collaborating with a team of researchers at the University of Michigan on Project Sonar, a repository of scan data that has been responsibly collected by the researcher community. Moore said he hopes to engage the security community into not only analyzing the data produced by scans of public-facing networks, but also contributing data sets. Project Sonar is being hosted by the University of Michigan at scans.io.
“We need more eyes on it because we need the shame to fall on these vendors for the terrible products they’re producing,” Moore said, adding as an example, that he’s found upwards of 10,000 command shells sitting online accessible via telnet that would give an outsider root access to the device in question. “The fact that we’ve got issues like that where there’s not even a pretense of security, yet these devices are not getting any better and in some cases we’re seeing an expansion of the vulnerable devices year over year, that was a call to action to me to make it harder for vendors to avoid the scrutiny they deserve.
“The thing is a lot of people like to see results and like to see the tiny pictures but not many people want to dig into and pull stuff out,” Moore said. “We’re going to try to do that make it palatable for amateur researchers and every day IT admins to use as a resource.”
Currently, there are five data sets hosted by Project Sonar, formally known as the Internet-Wide Scan Data Repository; the two teams used a host of tools to collect the data including ZMap, an Internet scanner developed at UM, UDPBlast, Nmap, and MASSCAN among others. Two datasets were contributed by the University of Michigan and those include scans of HTTPS traffic looking for raw X.509 certificates (43 million have been included from 108 million hosts) as well as data from an IPv4 scan on port 443 conducted last October to measure the impact of Hurricane Sandy. Rapid7 has also contributed three data sets: service fingerprints from Moore’s Critical.IO project; a scan of IPv4 SSL services on port 443; and a regular DNS lookup for all IPv4 PTR records.
“After going through the data enough times, it became obvious there are so many different vulnerabilities and issues that really just take some human eyes on things,” Moore said. “It really doesn’t make sense to sit on this amount of data and not share it.”
Researchers and IT managers can use the data in a variety of ways; in bulk, researchers could generate vulnerability data per vendor or per product, or on a narrower scope, the data can be used to do asset inventory, for example, on a particular IP range in order identify existing vulnerabilities. A Rapid7 team used the data, for example, to accelerate a penetration test on an 80,000-node network. Moore said an entire asset inventory was done in about 20 minutes as opposed to three days with customary tools and scans.
Early feedback has been positive, and Moore said some researchers have already begun to build Web services and queries around the data. Moore added that UM and Rapid7 hope that additional datasets will eventually be contributed, so long as they collection efforts are done legally and within ethical bounds. It’s for that reason, Moore said, that neither UM nor Rapid7 will host data collected from the Internet Census or Carna botnet for this project, the legality of which is still in question.
“Right now we’re steering away from offering any kind of Web service; I don’t want to have a service where folks are depending on me to get them results, nor do I want to be responsible for seeing what queries they run,” Moore said. “It’s not what we’re trying to solve. We’re taking the bulk data that’s multiple gigabytes, 5-6 terabytes, and make that available on the website in bulk form for anyone who’s doing research to download it. At the same time, we’re taking different slices of the data as well and saying ‘Let’s just take the name fields for this packet,’ or parse out a particular field and make those available for folks who are doing more casual testing.”