Yes, humans are the weakest link in the security chain, but when three careless default settings are present at the same time, criminals often enjoy easy access to devices and industrial control systems.
That scenario is what the Australian Computer Response Team (AusCERT) found in one of its most recent analyses of previously undisclosed data relating to the Internet Census 2012.
For the analysis, presented at the AusCERT conference last week, the creator of the census gave AusCERT nine terabytes of data, including information on 1.2 million identifiable devices that could end up infected with the Carna botnet, which made it possible to scan all of the IPv4 address space.
AusCERT found Carna exploits careless default configurations. The botnet infected devices are directly accessible through the Internet, provide telnet access on port 23 without a firewall, and use default login data such as admin:admin, admin:password or root:password. It was easy to identify the devices in question from the output of the ifconfig command. AusCERT emphasized the fact the devices are this vulnerable falls to the manufacturers and that it was not the fault of “stupid” users.
Users often have little opportunity to manually change their devices’ default settings, AusCERT said. Backdoors often end up hardcoded deliberately by the manufacturers, log-in data cannot undergo change, or users do no even know a device has an active Internet connection, AusCERT said. In addition, some devices require a publicly reachable IP for their full range of features to be accessible.
Only about 1,614 of the around 1.2 million identified devices are in Australia.
The majority of insufficiently protected devices were in China, followed by Turkey and India. AusCERT said to close the security holes on a global scale, the team passed on its research results to all countries and associated CERTs where more than 10,000 devices suffer from the problem. In all, information went out to 22 countries. AusCERT said the majority of security holes could end up solved by closing port 23. The Carna botnet works in such a way that it can end up removed through hardware resets or reboots.