Australia’s Internet space shows the same distribution of vulnerable IP ports as the rest of the world and a dangerous preponderance of insecure Universal Plug ‘n’ Play (UPnP) devices, Metasploit Project founder HD Moore has warned while recounting the surprising results of his efforts to catalogue the results of communicating with every IP address on the Internet.
Between February 2012 and April 2013, Moore – chief security officer at security-testing firm Rapid7 – set up a fat broadband connection and a number of scripts that would progressively cycle through all possible combinations of IP address – sending packet requests on common Internet Protocol (IP) ports and recording what came back.
A range of ports were tested, including Telnet, FTP, UDP services, UPnP, and others that commonly exist on every IP network. Each port was queried across every IPv4 address on the Internet, over the course of two or three months each.
At a rate of around 11m new service ‘fingerprints’—responses from insecure hosts—discovered across 5m unique IP addresses every day, the Metasploit database quickly grew to 150 million new service fingerprints per month.
Moore’s actions didn’t go unnoticed: he received over 3300 abuse reports from targets who noticed his intense port-scanning activities and reported him to authorities. “I got all kinds of crazy death threats, and had the attorney-general from a US state call me and try to put me in jail,” Moore laughed as he told the audience at the AusCERT 2013 security conference.
“One US law enforcement agency was contacted by Chinese law enforcement who thought I was hacking them. I became a Chinese APT [advanced persistent threat] for a period of time because they couldn’t figure out what I was doing.”
By the time the project wound up, 348 million unique IP addresses had responded. Moore’s scans consumed over 650TB of bandwidth, filled up 12TB of disk space, and uncovered “a lot of government botnets, active botnet command-and-control servers, and other stuff we shouldn’t have found”.
Through a happy coincidence, a SNMP (Simple Network Management Protocol) query sent to one Asian IP address returned bank-account details from a range of wire transfers, which were offered as an SNMP response due to a bug that inadvertently sent the contents of the clipboard as a status report. All told, Moore’s project uncovered 75 million open SNMP servers: “SNMP read access is a major security issue,” he said.
But it was UPnP, the “fun” protocol used by ISP-provided routers, home-entertainment equipment and consumer network devices, that offered the highest number of responses—and was therefore by far the least secure protocol on the Net. The effort found 6900 different products, spread across 1500 distinct brands, which were insecure because they were built on known insecure UPnP stacks.
Worse still, Moore said, the UPnP vulnerabilities have been perpetuated for years and are virtually unfixable. “You have to really understand what’s out there to defend it,” Moore said. “We’re seeing vendors doing a poor job of locking down equipment, and ISPs providing insecure equipment with no regard to the impact on users.”
“In a lot of cases these are really expensive problems to fix— and, unfortunately, the industry has gotten to the point where we have little choice but to use software and hardware that has endemic flaws.”
Those flaws arise when consumer-electronics vendors license a particular base operating system for use in a device, then fail to update it over time even as new exploits for that platform are discovered. The result: millions of routers, servers, network attached storage (NAS) arrays, TVs, printers, and other Internet-connected equipment that’s ready and waiting to be exploited by a malicious hacker.
AusCERT 2013 : Day 1 Coverage
“There’s a glaring hole in terms of what machines we don’t update,” Moore said. “And those are likely to become our biggest risk going forward. If I’ve only got $5 and I want to break as many machines on the Internet as fast as I can, what vector would give me the fastest results? UPnP. The same libupnp flaw applies to over 23m systems, and you’ve got 35,000 vulnerable servers you can spoof with a single UPnP packet.”