It turns out there’s some 1.2 million devices online just sitting around waiting for someone to come in and use them to create the bot-net to end all bot-nets. Here’s an excerpt from an explanation on Security Now episode #396:
STEVE: Yeah. So here’s the deal. First of all, I’m going to quote some things from this paper. Everybody, I tweeted the link, but also the bit.ly link is easy to find. You’re going to love the graphics. Click, up on the top, click the graphics button. And look, and he’s also got super-high-resolution versions of those thumbnails.
So here’s what happens. The guy, he says “we” throughout this paper. And at the end he confesses, okay, “we” actually means “I” because it just was impossible to say “I this,” “I that,” and “I this” and so forth throughout the whole thing. So it’s a guy. And with any luck he kept it quiet. And it’s a good thing it’s one guy because secrets are difficult to keep among people because then there’s no accountability. Operating alone for six months, he poked his head out onto the Internet, wondering how many telnet ports were open. And he…
LEO: Telnet’s the old, insecure way of getting terminal access to a server.
STEVE: Yes.
LEO: Nobody uses it anymore. We all use SSH. Or maybe not [laughing].
STEVE: Okay. 1.2 million unique, unprotected devices exposing telnet on the ‘Net.
LEO: Oh, dear.
STEVE: What he did was he scanned a small piece of the ‘Net and found a surprising number of telnet ports. That’s port 23. It’s one of the ones that ShieldsUP! has been checking for people from day one because it is so bad to have – arguably, it’s worse than Windows file sharing, port 23. And no one blocks it. That is, ISPs, it’s off their radar. They’re not blocking it. And as you said, it’s like remote terminal. You use a telnet client, which are freely available. You simply connect to this port, and you get a prompt.
LEO: Now, you’d have to know a login and password.
STEVE: And he tried either blank logins or admin:admin or root:root. He also tried admin:blank password and root:blank password, and that got him into the majority of these boxes.
LEO: Oh, oh. So this map that we’re looking at is 460 million IP addresses, all of which respond to, well, these are ping requests. I don’t care about pings.
STEVE: I know. Leo, he wrote a bot which he then carefully uploaded into an initial set of these, which then scanned for others, and they sent themselves there. He wrote a worm, essentially…
LEO: This guy should be – I hope he’s being careful because this is the kind of thing people go to jail for.
STEVE: Oh, Leo.
LEO: Unmalicious or not.
STEVE: Here’s the problem. Now everyone knows. This, I mean, this is why this is the worst news I’ve had this year.
The report they’re discussing it titled “Internet Census 2012: Port scanning /0 using insecure embedded devices” and can be found @ http://internetcensus2012.bitbucket.org/paper.html. The full Security Now conversation can be found @ http://www.grc.com/securitynow.htm. (Episode #396)
