You probably haven’t heard of HD Moore, but up to a few weeks ago every Internet device in the world, perhaps including some in your own home, was contacted roughly three times a day by a stack of computers that sit overheating his spare room. “I have a lot of cooling equipment to make sure my house doesn’t catch on fire,” says Moore, who leads research at computer security company Rapid7. In February last year he decided to carry out a personal census of every device on the Internet as a hobby. “This is not my day job; it’s what I do for fun,” he says.
Moore has now put that fun on hold. “[It] drew quite a lot of complaints, hate mail, and calls from law enforcement,” he says. But the data collected has revealed some serious security problems, and exposed some vulnerable business and industrial systems of a kind used to control everything from traffic lights to power infrastructure.
Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites). Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could let anyone take control of them.
On Tuesday, Moore published results on a particularly troubling segment of those vulnerable devices: ones that appear to be used for business and industrial systems. Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all.
Those vulnerable accounts offer attackers significant opportunities, says Moore, including rebooting company servers and IT systems, accessing medical device logs and customer data, and even gaining access to industrial control systems at factories or power infrastructure. Moore’s latest findings were aided by a similar dataset published by an anonymous hacker last month, gathered by compromising 420,000 pieces of network hardware.
The connections Moore was looking for are known as serial servers, used to connect devices to the Internet that don’t have that functionality built in. “Serial servers act as glue between archaic systems and the networked world,” says Moore. “[They] are exposing many organizations to attack.” Moore doesn’t know whether the flaws he has discovered are being exploited yet, but has released details on how companies can scan their systems for the problems he uncovered.
Joel Young, chief technology officer of Digi International, manufacturer of many of the unsecured serial servers that Moore found, welcomed the research, saying it had helped his company understand how people were using its products. “Some customers that buy and deploy our products didn’t follow good security policy or practices,” says Young. “We have to do more proactive education for customers about security.”
Young says his company sells a cloud service that can give its products a private, secured connection away from the public Internet. However, he also said that Digi would continue to ship products with default passwords, because it made initial setup smoother, and that makes customers more likely to set their own passwords. “I haven’t found a better way,” he says.
Billy Rios, a security researcher who works on industrial control systems at security startup company Cylance, says Moore’s project provides valuable numbers to quantify the scale of a problem that is well-known to experts like himself but underappreciated by companies at risk.
Rios says that in his experience, systems used by more “critical” facilities such as energy infrastructure are just as likely to be vulnerable to attack as those used for jobs such as controlling doors in a small office. “They are using the same systems,” he says.
Removing serial servers from the public Internet so that they are accessed through a private connection could prevent many of the easiest attacks, says Rios, but attackers could still use various techniques to steal the necessary credentials.
The new work adds to other significant findings from Moore’s unusual hobby. Results he published in January showed that around 50 million printers, games consoles, routers, and networked storage drives are connected to the Internet and easily compromised due to known flaws in a protocol called Universal Plug and Play (UPnP). This protocol allows computers to automatically find printers, but is also built into some security devices, broadband routers, and data storage systems, and could be putting valuable data at risk.
Data collected by Moore’s survey has also helped Rapid7 colleagues identify how a piece of software called FinFisher was used by law enforcement and intelligence agencies to spy on political activists. It also helped unmask the control structure for a long-running campaign called Red October that infiltrated many government systems in Europe.
Moore believes the security industry is overlooking some rather serious, and basic, security problems by focusing mostly on the computers used by company employees. “It became obvious to me that we’ve got some much bigger issues,” says Moore. “There [are] some fundamental problems with how we use the Internet today.” He wants to get more people working to patch up the backdoors that are putting companies at risk.
However, Moore has no plans to probe the entire Internet again. Large power and Internet bills, and incidents such the Chinese government’s Computer Emergency Response Team asking U.S. authorities to stop Moore “hacking all their things” have convinced him it’s time to find a new hobby. However, with plenty of data left to analyze, there will likely be more to reveal about the true state of online security, says Moore: “We’re sitting on mountains of new vulnerabilities.”