Internet-Wide Scan Finds Hundreds of Thousands of Ready-Made Backdoors
A security researcher that (gently) probed every computer on the Internet to discover hundreds of thousands of unsecured systems (see “When One Man Pinged the Whole Internet”) has now repeated the exercise to find hundreds of thousands of servers that could be trivially taken over by an attacker.
HD Moore, chief research officer at Rapid7, did a fresh scan of the Internet after hearing about vulnerabilities in a standard component of servers that allows them to be monitored and controlled remotely. Independent researcher Dan Farmer recently showed that flaws in the design of many Baseboard Management Controllers (BMCs) mean they could all too easily provide unauthorized access and control, too.
Moore’s scan found 308,000 BMCs that used the problem protocol identified by Farmer. A total of 53,000 of them were configured in a way that allows access without a password; 195,000 stored passwords and other credentials unencrypted; 99,000 exposed encoded passwords that could be cracked by an attacker (Moore says that he unscrambled 10 percent in a preliminary test); 35,000 had vulnerabilities in the Universal Plug and Play protocol that Moore’s previous Internet scan highlighted.
Moore explains the consequences of what he found like this in an FAQ document:
“An attacker that is able to compromise a BMC should be able to compromise its parent server. Once access to the server is gained, the attacker could copy data from any attached storage, make changes to the operating system, install a permanent backdoor, capture credentials passing through the server, launch a denial of service attack, or simply wipe the hard drives.”
That information released by the researchers doesn’t reveal anything about what types of organizations are at risk, but the numbers make it clear that the problem is widespread. Moore told Wired that “essentially every modern company and government on the planet” relies on the flawed BMC protocol examined in his study.
These new results underline what Moore told us earlier this year, when speaking about his initial project to ping the entire Internet. Most public attention and industry effort is focused on the security of the computers on people’s desks, but it seems to common for powerful, core parts of IT systems to be exposed online.
Keep Reading
Most Popular
DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.
“This is a profound moment in the history of technology,” says Mustafa Suleyman.
What to know about this autumn’s covid vaccines
New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.
Human-plus-AI solutions mitigate security threats
With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure
Next slide, please: A brief history of the corporate presentation
From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.
Stay connected
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.