14 DAY TRIAL // A study on the prevalence of vulnerable embedded network devices on the Internet has revealed worrying results. Researchers have discovered tens of thousands of remotely-accessible devices with default passwords during their scans so far.
The project, which maps the distribution of vulnerable embedded network devices over several continents, is the work of a few researchers from Columbia University's Intrusion Detection Systems Lab. Their effort started last December and involves scanning the IP space of major ISPs in North America, Europe and Asia.
"Devices like routers, NAS appliances, home entertainment appliances, wifi access points, web cams, VoIP appliances, print servers and video conferencing units reside on the same networks as our personal computers and enterprise servers and together form our world-wide communication infrastructure. Widely deployed and often misconfigured, they constitute highly attractive targets for exploitation," the researchers explain (PDF).
So far the scanning has focused on one of the simplest attack vectors – publicly-accessible management interfaces configured with default passwords. The data is then broken down by several criteria, such as device type or region, in order to get a better picture of the overall situation over the world.
The researchers have established a global average vulnerability rate for consumer devices, such as home routers, cable modems, webcams, etc. of 41.62%. Meanwhile, enterprise devices were less prone to misconfiguration, with only 2.46% of them being vulnerable. VoIP devices scored somewhere in between, with a rate of 19.21%.
When it comes to global distribution, the team of researchers concluded that "Insecurity is pervasive world-wide: Vulnerable devices can be found in significant numbers in all parts of the world covered by our scan. The double digit vulnerability rates suggest that a large botnet can be created by constituting only embedded network devices."
However, there are variations regarding the device manufacturer depending on the market. For example, the Linksys brand had overall the highest number of devices, but the rate varied by country. Therefore, 70% of Linksys routers detected in Japan ran on default settings. Canada had a rate of 60%, while 38.5% of such devices were vulnerable in the United States.
According to the researchers, via Wired, a total number of 130 million IP addresses have been scanned so far, almost 300,000 devices with remotely-accessible admin interfaces were located and 21,000 of them still had the default passwords. Extrapolating from these results, it is estimated that as many as six million vulnerable devices can be found on the Internet.