Botnet Uses Default Passwords To Conduct "Internet Census 2012"

An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."

I can see where this is going

[Daetrin]

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed.

They're so going to jail.

Re:I can see where this is going

[Anubis+IV]

If you're an ethical researcher wanting to run a distributed scan of the 'net, the proper way to do it is to use something like PlanetLab, which has been designed for uses like that and is freely available for research use. It's what everyone else uses, and it works great. Either that, or go and use your grant money to provision yourself appropriately for a job like this, which is what we did when I was in grad school. Commandeering routers and other devices for personal use is inexcusable.

Honestly, my first thought was, "What research ethics committee gave him the go-ahead?" My guess: the researcher didn't ask, because none of them would ever let him do it. Besides consuming bandwidth for tens or hundreds of thousands of Internet users without their consent (some of whom were likely capped), he's also loaded code onto their machines: code which they have no guarantee will work as expected in all circumstances. In fact, for all they know, they may have bricked tens of thousands of devices without realizing they did so, then taken their lack of response later as a simple incompatibility with his code.

When I was in grad school, we were doing web crawler and search engine research that was considered to be a bit on the edge of what was permissible (and our work resulted in serious threats of lawsuits aimed at our university), but we would never consider doing something like what they did. No credible conference or journal would publish this sort of work either, which is as it should be. Researchers have a responsibility to act responsible, and this anonymous one didn't.

Also, you've said it was useful research, but it really wasn't. These vulnerabilities are widely documented, and those researchers were not only able to publish earlier, they were also able to do so without engaging in gross ethical violations.

Re:I can see where this is going

[Baloroth]

Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed. They're so going to jail.

Of course. They used broke into others computers, uploaded and executed binary files on them, without their permission, for their own purposes. That is both illegal and unethical. They should be punished for that.

The reason why they did it is not terribly relevant (although it doesn't make it worse, since the end was not itself a crime). The ends do not justify the means. Breaking the door of a house down to tell the owners their door is easily broken down is still breaking and entering.

Re:I can see where this is going

Beauty of the internet: you don't need the cooperation of a responsible conference or journal to get published.

Re:I can see where this is going

[mcgrew]

No, they left binaries on the devices and took data. That's more analogous to someone going into your unlocked house and trading your copy of LOTR with a candy bar wrapper left on the floor. Much more than simple trespass, it's trespassing, littering, vandalism, and theft.

Re:So this is what?

[Hatta]

The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

Re:Door

[tqk]

I don't like the idea of someone going around testing all of these devices any better than I like the idea of some guy going around my neighborhood checking to see if all the doors and windows are locked.

Ah, the ostrich plan. Don't run away; don't protect yourself; just stick your head in the sand, or put on the Beeblebrox safety glasses.

If he can do this, *please* imagine what a true black hat could do with it. FFS!!!111

BTW, seeing if a doorknob turns != opening the door.

As a tax payer, don't waste my money

If no actual harm was done then chasing after the researchers for prosecution is a waste of public money in my opinion, speaking as a tax payer.

And I mean actual harm, not the made-up harm of "unlawful use of computer equipment" or similar ones which are just infringements in principle, without actual harm done.

There are so many really bad guys out there to chase that this researcher should be way down on the priority list for enforcement, or using a bit of commonsense, not on it at all. And if he is identified then all he really deserves is a rap across the knuckles just for being unethical.

This is all very bad

[houghi]

Postings all go about how this is illegal and not about the technical situation.

It is sad times when people are more worried about the legal thread and ruining their lives and not about the technical implications.

How many people do not dare to bring solutions because they might be punished?

Re:Door

[berashith]

They did slightly more than look to see what was open. This is more like, "you had 2 open windows and one unlocked door, so I left some yogurt in your fridge and took pictures of your wife while she was sleeping. I will be posting the pictures to the world as proof, you are welcome for the yogurt. Enjoy!"

Re:Door

[NeutronCowboy]

Except he did not activate any webcams or gathered any data beyond what ports were available and whether he was able to install his rootkit. Why didn't you extend the analogy even further to raping my daughters and defecating in my bed? I mean, why not go all out in the attempt to generate an emotional response to a completely unrelated problem? Does your post also mean that you would shoot the writer of this study, if you found out who he was?

And I feel again confirmed that the US doesn't have a gun problem, but a response problem: you conflate one thing with something vastly different, then determine response based on the emotional reaction you have to the vastly different thing.

Re:BitTorrent

[viperidaenz]

No one is refusing to prosecute illegal activity on peer to peer networks. There is a 3 strikes law in my country with the specific purpose of doing exactly this.

What is wrong is making the mechanism illegal because it can be used for illegal purposes. It's like banning teaspoons and lighters because people use them to take drugs.

Should it be illegal to buy steak knives, because people use them to commit murder?