420,000 node botnet made from insecure embedded devices


Map showing the concentration of infected devices across the globe

There are a lot of devices connected to the Internet. While most people think about their computers, tablets, and phones, many don’t think about the various embedded devices that are also connected. From routers to printers to thermostats, there’s a lot of devices talking online. Unfortunately, many of them are also listening online, and many vendors don’t do a good job securing these devices. Combine that with the recent outbreak of Java vulnerabilities, and it’s a recipe for disaster.

One security “researcher” attempted to map the IPv4 address space of the Internet. He did this by exploiting vulnerabilities in various embedded devices online. Using the Nmap Scripting Engine, he was able to push attack code onto vulnerable systems, then use those systems to help with the mapping efforts. The above picture is a visual representation of where the bots lived. Interestingly, the United States had only a single red dot (indicating over 2,000 exposed devices), whereas other parts of the world like China and India, had more and even Turkey had a red dot within their borders.


Map showing the 460 Million IP addresses that responded to ICMP ping requests or port scans

One of the design decisions of the “researcher” was to be nice to targeted hosts. As such, he didn't make any permanent changes to the infected machines (i.e., rebooting the device would restore it to normal), limited the number of connections the device was allowed, and did not scan/snoop any traffic on internal networks.

While the information is interesting to read through, and the “researcher” claims that he did no harm, we can’t condone his actions. Although it does highlight the insecurity of the Internet as a whole, and many of the attacks were nothing more than guessing default username/password combinations, the unauthorized use of a device is still a crime. That said, we hope this is a wake-up call for companies to increase the base security of their embedded devices.

Source: Anonymous posting on Bitbucket | Images from research, posted on Bitbucket

Report a problem with article
Previous Story

NBA player Grant Hill stars in latest Windows Phone TV ad

Next Story

Dell: "Uncertain adoption" of Windows 8 is part of its reason to go private

23 Comments

Commenting is disabled on this article.

Definitely illegal, but that's not the point. I'd rather have awareness risen by grey hats rather than black hats.

Breach said,
Definitely illegal, but that's not the point. I'd rather have awareness risen by grey hats rather than black hats.

Unfortunately grey hats sell to the highest bidder sometimes. This guy, although anonymous, would have connections and if it meant being able to support his family and lifestyle a bit of cash in hand for some exploits would be hard to pass up.

Jombi said,
Insecure, or unsecured?

The introduction of the paper suggests that it was unsecured devices (which are also insecure, of course):

"Two years ago while spending some time with the Nmap Scripting Engine (NSE) someone mentioned that we should try the classic telnet login root:root on random IP addresses. This was meant as a joke, but was given a try. We started scanning and quickly realized that there should be several thousand unprotected devices on the Internet. "

Yeah, this checks telnet with account root with no password, admin with no password, root with password root, and admin with password admin.

And to think there are still services which have passwords that are limited to 8 numbers/letters..

This security issue is only going to get worse as global internet access is achieved.

The 8 digit doesn't matter what so ever. You can secure you 8 digit password so the brute force would take thousands of years if not even more. It's the passwords that are set to "1234" that are causing the problem here.

I should clarify I guess. My online banking password is also limited to 8 digits but we get those passwords from our bank and they can't be even remembered as they are case sensitive and out of the 8 - 4 are letters and 4 are numbers, random order, random case sensitivity for letters. Let me know when one cracks it.

Edited by uMadRabbit, Mar 30 2013, 7:26pm :

alwaysonacoffebreak said,
The 8 digit doesn't matter what so ever. You can secure you 8 digit password so the brute force would take thousands of years if not even more. It's the passwords that are set to "1234" that are causing the problem here.

I should clarify I guess. My online banking password is also limited to 8 digits but we get those passwords from our bank and they can't be even remembered as they are case sensitive and out of the 8 - 4 are letters and 4 are numbers, random order, random case sensitivity for letters. Let me know when one cracks it.


Change your bank. Even with numbers and special characters it isn't enough, people will break it within a couple of minutes.

alwaysonacoffebreak said,
The 8 digit doesn't matter what so ever. You can secure you 8 digit password so the brute force would take thousands of years if not even more. It's the passwords that are set to "1234" that are causing the problem here.

I should clarify I guess. My online banking password is also limited to 8 digits but we get those passwords from our bank and they can't be even remembered as they are case sensitive and out of the 8 - 4 are letters and 4 are numbers, random order, random case sensitivity for letters. Let me know when one cracks it.


Random dribble is the 2nd weakest password next to the simpleton ones like 1234 etc.
There was a whole research on this, and using rainbow tablets allot of people's passwords are easily broken through. Increased length does help vs these rainbow tablets. For most even rainbow tablets wont be an issue due to the timeout after x login attempts.
But with this technique you can still get allot of devices taken over. Even if its 1%. Consider there's millions, if not hundreds of millions of these devices out there. And many of which at important places, production facilities etc. And this can be very, very badly

Pooze said,

Change your bank. Even with numbers and special characters it isn't enough, people will break it within a couple of minutes.

Uhm where did I say that's the only auth on the bank? It's the first of a 3 way auth, secondly there's an national ID card chip reader and a pin after that.

xendrome said,
Is this the same guy who did the complete IPv4 address scanning for the UPnP vulnerability?

Nope
This is about Telnet without a good username/password.

I know they are trying to prove something and all but instead of posting it on the anonymous internet for the "bad guys" to see they should contact the software owner so they would have a chance to fix those flaws.

warwagon said,
Yes, but now all the bad guys will connect and they won't be as nice.

The bad guys have already been connected. It's only now that this guy offers up the information of what is possible/happening.

Please don't think that just because someone 'outs' the information like this, that they're the first to discover it. The chances are, he's already seen it active in the wild and knows others who're using the same technique and he's just using it in a 'semi-moral' grey hacking way.

warwagon said,
Yes, but now all the bad guys will connect and they won't be as nice.

He set the devices to remove all traces of what he did after a while, so the botnet would die by itself after a while. So it didn't really leave systems any more vulnerable than they already were.

"Claims he did no harm". He still broke into systems without the owners permission and took control. I'd love to see that argument try and stand in court.

"What? I only picked the lock to your house, made myself a drink and watched TV for a bit, everything was back to normal when I left"

McKay said,
"Claims he did no harm". He still broke into systems without the owners permission and took control. I'd love to see that argument try and stand in court.

"What? I only picked the lock to your house, made myself a drink and watched TV for a bit, everything was back to normal when I left"

It wouldn't stand up in court. "Grey hat" hackers (hacking things, while "doing no harm", without the owners permission) are not protected by any laws. In fact it is definitely illegal to do so.

McKay said,
"Claims he did no harm". He still broke into systems without the owners permission and took control. I'd love to see that argument try and stand in court.

"What? I only picked the lock to your house, made myself a drink and watched TV for a bit, everything was back to normal when I left"


That's not even remotely close to being the same thing.
Controlling someone's device remotely isn't physically being there. Breaking in and being in someone's house is completely different, and illegal for sure.

Personally I don't think the guy did anything wrong at all. He was simply doing a test.

So if I turn on the camera of your laptop and watch your wife get undressed, it's OK because I'm not there? Or I have a keylogger on your machine and take your credit card information, is that OK because I'm not there? Just because it's remotely done doesn't make it any more legal. He still pushed code onto the device that he wasn't authorized to.

More like picking your lock, taking a look through your phone book, then leaving a note profusely apologizing and explaining what you did to the owner and law enforcement.

And by picking your lock, I mean turning the handle to see if it was locked. No password is basically door-already-open, and simple password like admin or root is basically door closed but unlocked.