A scan of the internet by an anonymous security researcher has revealed millions of IP-enabled printers, webcams and set-top boxes that are only protected by default passwords.
This means they have easy-to-guess factory set passwords such as “root” and are extremely vulnerable to being taken over by hackers.
“As could be seen from the sample data, insecure devices are located basically everywhere on the Internet,” the researcher wrote in a document detailing the project.
“They are not specific to one ISP or country. So the problem of default or empty passwords is an Internet and industry wide phenomenon,” he said.
To carry out the project, the researcher developed a small scanning program that installed itself on unsecured devices and used them to conduct additional scans.
The research botnet was able to infect about 100,000 devices within a day, enabling the researcher to make use of 420,000 devices to perform the survey.
“A lot of devices and services we have seen during our research should never be connected to the public Internet at all,” the researcher said.
Read more on printer security
The nine-month scanning project found 420 million IPv4 addresses that responded to probes and 36 million more addresses that had one or more ports open.
The researcher found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records.
HD Moore, the CSO of security firm Rapid7 who carried out a similar survey in 2012, told the Ars Technica news website that the results looked "pretty accurate".
"Embedded devices really are one of the most common devices on the Internet, and the security of these devices is terrible. I ran into a number of active botnets using those devices to propagate,” he said.
The anonymous researcher found that alongside his scanning code, other botnet programs were running on the devices he was using to conduct scans.
The scanning software detected capabilities in Aidra that forced compromised devices to carry out a variety of denial-of-service attacks on targets selected by the Aidra botnet operators.
“Many organisations do not even realise that these devices are connected to the internet,” said Rick Dastin, president of the office and solutions business business group at Xerox.
Once infected, these devices can be used to sniff network traffic, infect other devices on the network, or used as a launchpad for attacks.
Malware is moving rapidly into embedded systems, said Dastin, the problem is relatively few organisations are managing these systems well, making them vulnerable to attack.
“Organisations need to realise that multi-function devices are endpoints on their network with operating systems, and just like any other endpoint, they have to be protected,” he said.
For this reason, Xerox partnered with security firm McAfee to develop as system that allows only approved software to run on devices such as printers.
McAfee expects huge growth in the embedded security software market.