Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Carna Compromise Delivers Data, But Casts Suspicions

Created by an anonymous researcher, the Carna botnet found that 1.2 million Internet-connected devices are trivially exploitable, but the illegality of the methods raises doubts

An anonymous researcher who infected more than 420,000 systems with a program aimed at collecting data on the Internet has resurrected a debate over whether the compromise of systems can be justified in pursuit of a beneficial aims.

The resulting botnet, dubbed Carna by the researcher who created it, allowed the person to collect data on the Internet as well as search for addresses that hosted vulnerable systems. While having additional data on the state of the Internet is always welcome -- especially when it can help verify past surveys that may not have been as comprehensive -- the illegal compromise of people's systems taints the entire effort, says HD Moore, chief security officer for Rapid7.

"There are other ways -- legal ways -- to collect this same data," says Moore, who has conducted his own scans of the Internet, but from his own servers. "Unfortunately, it casts a cloud over everyone doing this type of research."

In a paper published in mid-March, the researcher -- who could also be a group posing as an individual -- found that many devices with embedded operating systems have default or no passwords, making compromising the devices trivial. Consumer routers and set-top boxes are among the most common offenders, many of which allow easy access from the Internet.

A wide variety of lessons can be gleaned from the incident, from the vulnerability of embedded devices to the need for better design of future products.

1. The Internet Of Things Is Vulnerable
While the Carna botnet provided some interesting numbers on the size of the Internet -- finding some 450 million IP addresses definitely in use -- the real goal of the botnet was to demonstrate the vulnerability of many of the embedded devices that are overlooked on a daily basis.

From set-top boxes to routers to videoconferencing systems, the list of non-PC devices that are connected to the Internet in some insecure way is growing, Carna's creator stated in the report describing the experiment.

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all," he stated. "As a rule of thumb, if you believe that 'nobody would connect that to the Internet, really nobody,' there are at least 1000 people who did. Whenever you think 'that shouldn't be on the Internet but will probably be found a few times,' it's there a few hundred thousand times."

2. Don't Expect ISPs To Fix The Problems
While Internet service providers are a logical group to expect to help out customers secure their systems, fixing the flaws in the wide variety of embedded systems on the Internet is difficult and costly. While a number of efforts are under way worldwide to enable ISPs to help their customers -- such as the U.S. Anti-Bot Code of Conduct for Internet Service Providers (ABCs for ISPs) -- whether the initiatives are paying off is still a question.

"As long as they are not suffering any loss financially from this vulnerability, why fix it?" says Joe Stewart, director of malware research for Dell Secureworks. "So I think [these vulnerable systems] will stay around for a while. I don't think these systems are going to be patched or default passwords are going to be changed."

[Seven months after a government-industry coalition announced recommendations for ISPs to fight botnets, success is still a long way off. See Anti-Botnet Efforts Still Nascent, But Groups Hopeful.]

3. Device Makers Must Build For The Future
From Android phones to routers to office printers, products that have some barriers to the quick patching of vulnerabilities are increasingly being targeted by attackers. The manufacturers of these devices must account for the total life cycle of the products, including a way to conveniently, yet reliably and securely, patch the system, says Tom Cross, director of security researcher for Lancope.

"It is up to the manufacturer to design something that is secure, even if the user doesn't deploy them following best practices," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.