Millions of vulnerable devices on the internet, researcher reveals

A scan of the internet by an anonymous security researcher has revealed millions of IP-enabled devices protected only by default passwords.

A scan of the internet by an anonymous security researcher has revealed millions of IP-enabled printers, webcams and set-top boxes that are only protected by default passwords.

This means they have easy-to-guess factory set passwords such as “root” and are extremely vulnerable to being taken over by hackers.

“As could be seen from the sample data, insecure devices are located basically everywhere on the Internet,” the researcher wrote in a document detailing the project.

“They are not specific to one ISP or country. So the problem of default or empty passwords is an Internet and industry wide phenomenon,” he said.

To carry out the project, the researcher developed a small scanning program that installed itself on unsecured devices and used them to conduct additional scans.

The research botnet was able to infect about 100,000 devices within a day, enabling the researcher to make use of 420,000 devices to perform the survey.

“A lot of devices and services we have seen during our research should never be connected to the public Internet at all,” the researcher said.

Read more on printer security

BYOD: IT must tackle printer security

HP printer vulnerabilities leave millions of printers susceptible to attack

Passwords and encryption strengthen printer security

The nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open.

The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records.

HD Moore, the CSO of security firm Rapid7 who carried out a similar survey in 2012, told the Ars Technica news website that the results looked "pretty accurate".

"Embedded devices really are one of the most common devices on the Internet, and the security of these devices is terrible. I ran into a number of active botnets using those devices to propagate,” he said.

The anonymous researcher found that alongside his scanning code, other botnet programs were running on the devices he was using to conduct scans.

Botnet programs such as Aidra infected as many as 30,000 embedded devices including the Linux-powered Dreambox TV receiver and other devices that run on a MIPS hardware.

The scanning software detected capabilities in Aidra that forced compromised devices to carry out a variety of denial-of-service attacks on targets selected by the Aidra botnet operators.

In 2012, Xerox revealed that only around 13% of organisations are aware that printers and multi-function devices represent a threat to information security.

“Many organisations do not even realise that these devices are connected to the internet,” said Rick Dastin, president of the office and solutions business business group at Xerox.

But for this reason, they are as vulnerable as PCs to unauthorised network access through attacks such as cross-site scripting (XSS), SQL injection, and firmware vulnerability exploits.

Once infected, these devices can be used to sniff network traffic, infect other devices on the network, or used as a launchpad for attacks.

Malware is moving rapidly into embedded systems, said Dastin, the problem is relatively few organisations are managing these systems well, making them vulnerable to attack.

“Organisations need to realise that multi-function devices are endpoints on their network with operating systems, and just like any other endpoint, they have to be protected,” he said.

For this reason, Xerox partnered with security firm McAfee to develop as system that allows only approved software to run on devices such as printers.

McAfee expects huge growth in the embedded security software market.


Read more on Endpoint security