Recently an anonymous “researcher” published online the results of what the author refers to the “Internet Census 2012“. Despite the method used to put together such a huge network analysis effort could be considered a bit unethical (infecting hundreds of thousands of connected devices), the results are rather interesting. Moreover, the author is releasing the entire data set obtained from this global IPv4 address space, which could greatly benefit future research. I am actually expecting a paper, some kind of analysis or at least references to this data set in the next Internet Measurement Conference.

As I was mentioning, this massive scan of the entire IPv4 address space was obtained by means of a massive bot-net (the author refers to it as the Carna Botnet), which infected about 420000 devices, including webcams, routers, and printers running on the Internet. The main vulnerability exploited was the fact that many Internet connected devices use a default password or, often, no password at all. Although the author insists on this aspect, this is not a new result. It has been known for quite some time that a large number of connected devices are using default of no protection. Very interesting results on this were published by a team of researchers from Columbia university in their paper “A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan“, presented at ACSAC in 2010.

This story has been widely discussed in the media, with tons of articles and blog posts talking about it (including myself). For more details, I refer the readers to the CNet story or the paper released by the Carna Botnet itself.

From CNet:

Among the findings, the researcher found 52 billion ICMP (Internet Control Message Protocol) ping probes and 10.5 billion reverse DNS (domain name system) records. There were also 180 billion service probe records.

“This project is, to our knowledge, the largest and most comprehensive IPv4 census ever,” the researcher wrote. “With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.”

As important as the census data might be to some, the research highlights a very important security concern: It appears quite easy for insecure devices to be compromised. And although in this case they were used for good, it wouldn’t be that difficult for someone to take a much more dangerous path.

It’s a potential for trouble that is quite far-reaching.

“As could be seen from the sample data,” the researcher wrote, “insecure devices are located basically everywhere on the Internet. They are not specific to one ISP or country. So the problem of default or empty passwords is an Internet and industry wide phenomenon.”