Researcher hijacks unsecure embedded devices en masse for Internet scanning project
The research highlights the potential for abuse of poorly configured embedded systems
IDG News Service - An anonymous researcher created a massive botnet by hijacking about 420,000 Internet-accessible embedded devices with default or no login passwords and used it to map the entire Internet.
The botnet, which was dubbed Carna after the Roman goddess of physical health, ran between March and December 2012, and was used to perform "the largest and most comprehensive IPv4 [Internet Protocol version 4] census ever," the researcher said Sunday on a website dedicated to the project.
The data collected by the botnet -- a total of 9TB -- was released into the public domain for anyone to download and analyze. It includes the results of port scans that show what services are most commonly used on the Internet and the software used to run them, information about the total number of IPv4 addresses that are actually in use, millions of traceroute records and much more.
Even though this particular botnet doesn't appear to have been used for malicious purposes, it highlights the potential for abuse of poorly configured embedded devices by cybercriminals, other researchers said.
The botnet client software that ran on the insecure devices was written in plain C, was 60KB in size, and had a self-propagation and device re-infection mechanism. The spreading mechanism scanned public IP addresses for insecure devices and tried to access them over the telnet protocol using default login credentials like root:root, admin:admin, root with no password or admin with no password.
Rebooting an infected device automatically led to the removal of the Carna botnet client. However, the remaining active clients would automatically reinfect it upon its return online.
The anonymous researcher claims that he took some precautions when designing the botnet client software so that it wouldn't disrupt the normal operation of the infected devices. "Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong," he said. "Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds."
The botnet binary ignored all activity from the internal networks of the compromised devices, the researcher said. "We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users."
Even so, the methodology used in this "Internet Census 2012" project is highly illegal in most countries, said Mark Schloesser, a security researcher at vulnerability and risk management firm Rapid7, Tuesday via email. "Using insecure configurations and default passwords to gain access to remote devices and run code on them is unethical, and taking precautions to not interfere with any normal operation of the devices being used doesn't make it OK."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts