informa
News

Carna Compromise Delivers Data, But Casts Suspicions

Created by an anonymous researcher, the Carna botnet found that 1.2 million Internet-connected devices are trivially exploitable, but the illegality of the methods raises doubts
An anonymous researcher who infected more than 420,000 systems with a program aimed at collecting data on the Internet has resurrected a debate over whether the compromise of systems can be justified in pursuit of a beneficial aims.

The resulting botnet, dubbed Carna by the researcher who created it, allowed the person to collect data on the Internet as well as search for addresses that hosted vulnerable systems. While having additional data on the state of the Internet is always welcome -- especially when it can help verify past surveys that may not have been as comprehensive -- the illegal compromise of people's systems taints the entire effort, says HD Moore, chief security officer for Rapid7.

"There are other ways -- legal ways -- to collect this same data," says Moore, who has conducted his own scans of the Internet, but from his own servers. "Unfortunately, it casts a cloud over everyone doing this type of research."

In a paper published in mid-March, the researcher -- who could also be a group posing as an individual -- found that many devices with embedded operating systems have default or no passwords, making compromising the devices trivial. Consumer routers and set-top boxes are among the most common offenders, many of which allow easy access from the Internet.

A wide variety of lessons can be gleaned from the incident, from the vulnerability of embedded devices to the need for better design of future products.

1. The Internet Of Things Is Vulnerable
While the Carna botnet provided some interesting numbers on the size of the Internet -- finding some 450 million IP addresses definitely in use -- the real goal of the botnet was to demonstrate the vulnerability of many of the embedded devices that are overlooked on a daily basis.

From set-top boxes to routers to videoconferencing systems, the list of non-PC devices that are connected to the Internet in some insecure way is growing, Carna's creator stated in the report describing the experiment.

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all," he stated. "As a rule of thumb, if you believe that 'nobody would connect that to the Internet, really nobody,' there are at least 1000 people who did. Whenever you think 'that shouldn't be on the Internet but will probably be found a few times,' it's there a few hundred thousand times."

2. Don't Expect ISPs To Fix The Problems
While Internet service providers are a logical group to expect to help out customers secure their systems, fixing the flaws in the wide variety of embedded systems on the Internet is difficult and costly. While a number of efforts are under way worldwide to enable ISPs to help their customers -- such as the U.S. Anti-Bot Code of Conduct for Internet Service Providers (ABCs for ISPs) -- whether the initiatives are paying off is still a question.

"As long as they are not suffering any loss financially from this vulnerability, why fix it?" says Joe Stewart, director of malware research for Dell Secureworks. "So I think [these vulnerable systems] will stay around for a while. I don't think these systems are going to be patched or default passwords are going to be changed."

[Seven months after a government-industry coalition announced recommendations for ISPs to fight botnets, success is still a long way off. See Anti-Botnet Efforts Still Nascent, But Groups Hopeful.]

3. Device Makers Must Build For The Future
From Android phones to routers to office printers, products that have some barriers to the quick patching of vulnerabilities are increasingly being targeted by attackers. The manufacturers of these devices must account for the total life cycle of the products, including a way to conveniently, yet reliably and securely, patch the system, says Tom Cross, director of security researcher for Lancope.

"It is up to the manufacturer to design something that is secure, even if the user doesn't deploy them following best practices," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: