Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices
Researchers scanning the internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack, due to the fact that their administrative interfaces are publicly viewable from anywhere on the internet and their owners have failed to change the manufacturer’s default password.
Linksys routers had the highest percent of vulnerable devices found in the U.S. — 45 percent of 2,729 routers that were publicly accessible still had a default password in place. Polycom VoIP units came in second, with default passwords lingering on about 29 percent of 585 devices accessible over the internet.
“You can reflash the firmware or install any software you wish on vulnerable devices,” said Salvatore Stolfo, a Columbia University computer science professor who is overseeing the research project aimed at uncovering vulnerable appliances on the internet. “These devices will be owned and used by bot herders and other miscreants.”
Vulnerable routers can be used by hackers to conduct click fraud or DNS cache poisoning attacks or to launch attacks on other systems, as a recent Threat Level story about vulnerable routers used by Time Warner customers pointed out. Someone with remote access to the administrative interface of a VoIP system would also be able to install firmware to record conversations.
The research project, devised by Columbia University grad student Ang Cui at the university’s Intrusion Detection Systems Laboratory, involves scanning networks belonging to the largest internet service providers in North America, Europe and Asia. The lab is sponsored by the Defense Advance Research Projects Agency (DARPA), the Department of Homeland Security and other federal agencies.
“Vulnerable devices can be found in significant numbers in all parts of the world covered by our scan,” the researchers wrote in a summary of their initial findings (.pdf) presented at a symposium in June. “The double digit vulnerability rates suggest that a large botnet can be created by constituting only embedded network devices.”
Since initiating the project last December, the Intrusion Detection researchers have scanned 130 million IP addresses and found nearly 300,000 devices whose administrative interfaces were remotely accessible from anywhere on the internet. The 21,000 devices found with default passwords are the most vulnerable, but the rest are also theoretically vulnerable to brute force password cracking attacks, Stolfo said. Extrapolating from the numbers gathered to date, the researchers estimate that some 6 million vulnerable devices are likely connected to the internet.
The group has so far focused on residential-based routers and devices but is now turning its sights on scanning more sensitive networks to search for vulnerable devices inside large corporations and government networks.
“People tend to buy stuff and bring them to work and just plug them in,” Stolfo said. “So we think we’ll be able to find vulnerable devices in highly sensitive places.”
The researchers didn’t attempt to explore the administrative interfaces or tamper with the devices they found, so they believe their work isn’t illegal.
“The scan script sends the public password for the product, and if the device responds with the ‘command prompt’ for that product interface, then the machine is obviously open,” Stolfo said. “We do not access the machine. We break the connection at that point and move on.”
The scanning is easily seen by ISPs, and the researchers say they embedded in their probes the URL for a webpage explaining the project and giving network providers a chance to opt out. Stolfo says a couple of universities, a security company and government agency have so far asked to be exempt from the scan.
The researchers have provided ISPs with their findings in the hope that they will do something to protect vulnerable customers.
“It’s not clear how an ISP is going to do a general announcement, but we hope there will be some way to communicate to the home user in particular about what they have to do to reconfigure their device,” Stolfo said.
But Stolfo says product makers are the real culprits and need to hide their administrative interfaces by default and provide clear instructions for users who want to alter that configuration. Vendors should also be more forceful in communicating to users that default passwords need to be changed to robust alphanumeric passwords that include special characters to thwart brute force attacks.
“This is not a password you’re going to need every day, so setting a very hard password and recording it at home on a piece of paper is probably a safe thing to do,” Stolfo says.
The group plans to run the scan for a few more months, then wait a period before re-running it to see if the number of vulnerable devices has fallen after ISPs are made aware of the vulnerabilities.
See also:
Original article at Threat Level
Filed Under: Threat Level
ACLU
Daily Kos
Electronic Frontier Foundation (EFF)
Electronic Privacy Information Center (EPIC)
European Digital Rights
Ixquick Search Engine
Privacy Rights Clearinghouse
