Are you familiar with the Carna Botnet? If not, you really should be. Back in 2012, an anonymous hacker set out to “measure” the Internet in a survey entitled The Internet Census of 2012. Enlisting the Nmap Scripting Engine, every publicly addressable IP address was scanned with the goal of finding just what was out there. More importantly, the census wanted to learn how many of those devices were unprotected. Sadly, it found a lot of them.
While quite a few of the discovered devices were consumer-grade, many were IPsec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment, and so on. Finding these enterprise devices was not surprising, but far too many were still configured to accept default login credentials such as root/root and admin/admin. Ultimately, approximately 420,000 unprotected devices were discovered and the hacker was able to load scanning code onto them that allowed him or her to essentially probe the entire Internet.
In my latest article for No Jitter, I discuss how security and privacy need to be factored into all the Internet of Things (IoT) devices we are deploying.