Tom Simonite

A View from Tom Simonite

Internet-Wide Scan Finds Hundreds of Thousands of Ready-Made Backdoors

Many poorly-secured company servers are exposed online, offering attackers ready made backdoors to wipe or steal data

  • July 3, 2013

A security researcher that (gently) probed every computer on the Internet to discover hundreds of thousands of unsecured systems (see “When One Man Pinged the Whole Internet”) has now repeated the exercise to find hundreds of thousands of servers that could be trivially taken over by an attacker.

HD Moore, chief research officer at Rapid7, did a fresh scan of the Internet after hearing about vulnerabilities in a standard component of servers that allows them to be monitored and controlled remotely. Independent researcher Dan Farmer recently showed that flaws in the design of many Baseboard Management Controllers (BMCs) mean they could all too easily provide unauthorized access and control, too.

Moore’s scan found 308,000 BMCs that used the problem protocol identified by Farmer. A total of 53,000 of them were configured in a way that allows access without a password; 195,000 stored passwords and other credentials unencrypted; 99,000 exposed encoded passwords that could be cracked by an attacker (Moore says that he unscrambled 10 percent in a preliminary test); 35,000 had vulnerabilities in the Universal Plug and Play protocol that Moore’s previous Internet scan highlighted.

Moore explains the consequences of what he found like this in an FAQ document:

“An attacker that is able to compromise a BMC should be able to compromise its parent server. Once access to the server is gained, the attacker could copy data from any attached storage, make changes to the operating system, install a permanent backdoor, capture credentials passing through the server, launch a denial of service attack, or simply wipe the hard drives.”

That information released by the researchers doesn’t reveal anything about what types of organizations are at risk, but the numbers make it clear that the problem is widespread. Moore told Wired that “essentially every modern company and government on the planet” relies on the flawed BMC protocol examined in his study.

These new results underline what Moore told us earlier this year, when speaking about his initial project to ping the entire Internet. Most public attention and industry effort is focused on the security of the computers on people’s desks, but it seems to common for powerful, core parts of IT systems to be exposed online.

Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.
Subscribe today

Uh oh–you've read all five of your free articles for this month.

Insider Premium

$179.95/yr US PRICE

Want more award-winning journalism? Subscribe and become an Insider.

  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look. Exclusive early access to stories.

    Insider Conversations. Join in and ask questions as our editors talk to innovators from around the world.

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

    Access to the Magazine archive. Over 24,000 articles going back to 1899 at your fingertips.

    Special Discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly home delivery and unlimited 24/7 access to MIT Technology Review’s website.

    The Download. Our daily newsletter of what's important in technology and innovation.

You've read of free articles this month.