Researcher hijacks unsecure embedded devices en masse for Internet scanning project

The research highlights the potential for abuse of poorly configured embedded systems

An anonymous researcher created a massive botnet by hijacking about 420,000 Internet-accessible embedded devices with default or no login passwords and used it to map the entire Internet.

The botnet, which was dubbed Carna after the Roman goddess of physical health, ran between March and December 2012, and was used to perform "the largest and most comprehensive IPv4 [Internet Protocol version 4] census ever," the researcher said Sunday on a website dedicated to the project.

The data collected by the botnet -- a total of 9TB -- was released into the public domain for anyone to download and analyze. It includes the results of port scans that show what services are most commonly used on the Internet and the software used to run them, information about the total number of IPv4 addresses that are actually in use, millions of traceroute records and much more.

Even though this particular botnet doesn't appear to have been used for malicious purposes, it highlights the potential for abuse of poorly configured embedded devices by cybercriminals, other researchers said.

The botnet client software that ran on the insecure devices was written in plain C, was 60KB in size, and had a self-propagation and device re-infection mechanism. The spreading mechanism scanned public IP addresses for insecure devices and tried to access them over the telnet protocol using default login credentials like root:root, admin:admin, root with no password or admin with no password.

Rebooting an infected device automatically led to the removal of the Carna botnet client. However, the remaining active clients would automatically reinfect it upon its return online.

The anonymous researcher claims that he took some precautions when designing the botnet client software so that it wouldn't disrupt the normal operation of the infected devices. "Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong," he said. "Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds."

The botnet binary ignored all activity from the internal networks of the compromised devices, the researcher said. "We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users."

Even so, the methodology used in this "Internet Census 2012" project is highly illegal in most countries, said Mark Schloesser, a security researcher at vulnerability and risk management firm Rapid7, Tuesday via email. "Using insecure configurations and default passwords to gain access to remote devices and run code on them is unethical, and taking precautions to not interfere with any normal operation of the devices being used doesn't make it OK."

The researcher responsible for the project said Tuesday via email that he prefers to remain anonymous precisely because he doesn't want to figure out the legal aspects of it in detail.

Even though the Carna botnet grew to reach about 420,000 clients, the actual number of "open" devices -- devices with default or no access passwords -- was much higher. "Approximately 70% of all open devices are either too small, don't run Linux or only have a very limited telnet interface making it impossible to start or even upload a binary," the researcher said on the Internet Census 2012 website.

The insecure devices were grouped by CPU and RAM and the botnet binary was only deployed on systems that were part of the more larger groups, as those were likely to represent widespread consumer-grade devices and not industrial control or mission critical systems.

The 420,000 devices the botnet client eventually ran on represented about 25% of all unprotected devices found. The researcher collected MAC addresses -- unique hardware identifiers assigned to network interfaces -- for all unprotected devices and identified about 1.2 million of them.

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all," the researcher said. If you believe that nobody would ever connect a certain type of device to the Internet, there are probably at least 1,000 people that did it, he said. Similarly, if you think that you'll only find a few instances of certain devices that shouldn't normally be connected to the Internet, there will probably be a few hundred thousands of them, "like half a million printers, or a million webcams, or devices that have root as a root password," he said.

"We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world," the researcher said.

The potential for malicious use of such devices is high, the researcher said via email. In fact, while deploying the Carna botnet, he found a DDoS (distributed denial-of-service) bot called Aidra that was already running on thousands of the open devices.

He then decided to make some changes to devices infected by his own botnet client in order to prevent Aidra infections. "Since we did not change anything permanently, restarting the device undid these changes," he said. "We figured that the collateral damage as a result of this action would be far less than Aidra exploiting these devices."

In time, the Carna botnet gained systems that Aidra lost and kept the malicious bot out of them, except for around 30,000 devices running on the MIPS (Microprocessor without Interlocked Pipeline Stages) platform where Aidra permanently installed itself, the researcher said.

Devices running embedded operating systems provide a huge potential for cybercrime activities, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "They are rarely using any intrusion detection mechanism, despite the fact that they have the technical capabilities to run malware. These highly specialized appliances are in fact computers; what differs is the software running on them."

The fact that this researcher found a malicious botnet already running on these devices is proof that bad things are already happening in the embedded world, but they often go unnoticed because there are no mechanisms to detect them, Botezatu said.

"The fact is that the state of security on thousands of Internet-connected devices is lower than one would assume," Schloesser said. "Finding another botnet on a subset of these devices is not surprising at all -- other research showed the very concerning state of security on the public internet in the past as well."

In January, security researchers from Rapid7 published research showing that tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more could be attacked over the Internet because of dangerous flaws in their implementation of the UPnP (Universal Plug and Play) protocol standard.

Unfortunately, there isn't a simple solution to fix this widespread problem, Schloesser said. "The only way to improve the security of the embedded devices is for their manufacturers to take security more seriously and work with the research community to identify and address issues."

There are technical solutions to some of these problems and vendors are already using them, Schloesser said. "One could, for example, have devices pre-configured with random passwords and put appropriate stickers onto the devices. It requires a little investment before shipping them but is well worth it. Also approaches employing QR codes for 'initial setup URLs' could be a possibility. Everything is better than weak vendor-wide default passwords."

"It is the vendors' responsibility," the anonymous researcher said via email. "They can't expect users to log into telnet and change the password."

Botezatu agreed that vendors favor usability over security by shipping products with default passwords and don't force users to change them, but said that user education is also needed. It's ultimately the device owner who decides how the device is used, what services to expose to the Internet and what security controls to put in place, he said.

"Users should be instructed about the best practices of deploying Internet-connected devices, because it is their responsibility to secure access to them," he said.

Otherwise, as more and more devices, from cars to refrigerators and coffee makers, are being connected to the Internet, the problem will only get worse.

"These devices are as vulnerable and as exploitable as any computer," Botezatu said.

Copyright © 2013 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon