Skip to Content
Uncategorized

Internet-Wide Scan Finds Hundreds of Thousands of Ready-Made Backdoors

Many poorly-secured company servers are exposed online, offering attackers ready made backdoors to wipe or steal data

A security researcher that (gently) probed every computer on the Internet to discover hundreds of thousands of unsecured systems (see “When One Man Pinged the Whole Internet”) has now repeated the exercise to find hundreds of thousands of servers that could be trivially taken over by an attacker.

HD Moore, chief research officer at Rapid7, did a fresh scan of the Internet after hearing about vulnerabilities in a standard component of servers that allows them to be monitored and controlled remotely. Independent researcher Dan Farmer recently showed that flaws in the design of many Baseboard Management Controllers (BMCs) mean they could all too easily provide unauthorized access and control, too.

Moore’s scan found 308,000 BMCs that used the problem protocol identified by Farmer. A total of 53,000 of them were configured in a way that allows access without a password; 195,000 stored passwords and other credentials unencrypted; 99,000 exposed encoded passwords that could be cracked by an attacker (Moore says that he unscrambled 10 percent in a preliminary test); 35,000 had vulnerabilities in the Universal Plug and Play protocol that Moore’s previous Internet scan highlighted.

Moore explains the consequences of what he found like this in an FAQ document:

“An attacker that is able to compromise a BMC should be able to compromise its parent server. Once access to the server is gained, the attacker could copy data from any attached storage, make changes to the operating system, install a permanent backdoor, capture credentials passing through the server, launch a denial of service attack, or simply wipe the hard drives.”

That information released by the researchers doesn’t reveal anything about what types of organizations are at risk, but the numbers make it clear that the problem is widespread. Moore told Wired that “essentially every modern company and government on the planet” relies on the flawed BMC protocol examined in his study.

These new results underline what Moore told us earlier this year, when speaking about his initial project to ping the entire Internet. Most public attention and industry effort is focused on the security of the computers on people’s desks, but it seems to common for powerful, core parts of IT systems to be exposed online.

Deep Dive

Uncategorized

Our best illustrations of 2022

Our artists’ thought-provoking, playful creations bring our stories to life, often saying more with an image than words ever could.

How CRISPR is making farmed animals bigger, stronger, and healthier

These gene-edited fish, pigs, and other animals could soon be on the menu.

The Download: the Saudi sci-fi megacity, and sleeping babies’ brains

This is today’s edition of The Download, our weekday newsletter that provides a daily dose of what’s going on in the world of technology. These exclusive satellite images show Saudi Arabia’s sci-fi megacity is well underway In early 2021, Crown Prince Mohammed bin Salman of Saudi Arabia announced The Line: a “civilizational revolution” that would house up…

10 Breakthrough Technologies 2023

Every year, we pick the 10 technologies that matter the most right now. We look for advances that will have a big impact on our lives and break down why they matter.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.