research-article

A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan

Authors:

Salvatore J. StolfoAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 97 - 106

https://doi.org/10.1145/1920261.1920276

Published: 06 December 2010 Publication History

Abstract

We present a quantitative lower bound on the number of vulnerable embedded device on a global scale. Over the past year, we have systematically scanned large portions of the internet to monitor the presence of trivially vulnerable embedded devices. At the time of writing, we have identified over 540,000 publicly accessible embedded devices configured with factory default root passwords. This constitutes over 13% of all discovered embedded devices. These devices range from enterprise equipment such as firewalls and routers to consumer appliances such as VoIP adapters, cable and IPTV boxes to office equipment such as network printers and video conferencing units. Vulnerable devices were detected in 144 countries, across 17,427 unique private enterprise, ISP, government, educational, satellite provider as well as residential network environments. Preliminary results from our longitudinal study tracking over 102,000 vulnerable devices revealed that over 96% of such accessible devices remain vulnerable after a 4-month period. We believe the data presented in this paper provides a conservative lower bound on the actual population of vulnerable devices in the wild. By combining the observed vulnerability distributions and its potential root causes, we propose a set of mitigation strategies and hypothesize about its quantitative impact on reducing the global vulnerable embedded device population. Employing our strategy, we have partnered with Team Cymru to engage key organizations capable of significantly reducing the number of trivially vulnerable embedded devices currently on the internet. As an ongoing longitudinal study, we plan to gather data continuously over the next year in order to quantify the effectiveness of community's cumulative effort to mitigate this pervasive threat.

References

[1]

kaiten.c IRC DDOS Bot. http://packetstormsecurity.nl/irc/kaiten.c.

[2]

MaxMind GeoIP. http://www.maxmind.com/app/ip-location.

[3]

Embedded Device Vulnerability Assessment Initiative. http://www.hacktory.cs.columbia.edu.

[4]

IronKey Personal D200. http://www.ironkey.com/personal-solutions.

[5]

The End of Your Internet: Malware for Home Routers, 2008. http://data.nicenamecrew.com/papers/malwareforrouters/paper.txt.

[6]

Network Bluepill. Dronebl.org, 2008. http://www.dronebl.org/blog/8.

[7]

Psyb0t' worm infects linksys, netgear home routers, modems. ZDNET, 2009. http://blogs.zdnet.com/BTL/?p=15197.

[8]

Scan of internet uncovers thousands of vulnerable embedded devices. http://www.wired.com/threatlevel/2009/10/vulnerable-devices/, 2009.

[9]

Time warner cable exposes 65,000 customer routers to remote hacks. http://www.wired.com/threatlevel/2009/10/time-warner-cable/, 2009.

[10]

P. Akritidis, W. Y. Chin, V. T. Lam, S. Sidiroglou, and K. G. Anagnostakis. Proximity breeds danger: Emerging threats in metro-area wireless networks. In In Proceedings of the 16 th USENIX Security Symposium, pages 323--338, 2007.

Digital Library

[11]

Hristo Bojinov, Elie Bursztein, Eric Lovett, and Dan Boneh. Embedded management interfaces: Emerging massive insecurity. Black Hat USA, 2009, 2009.

[12]

Ang Cui and Salvatore J. Stolfo. Generic rootkit detection for embedded devices using parasitic embedded machines. Columbia University, New York. cucs-009-10., 2010.

[13]

Felix "FX" Linder. Cisco Vulnerabilities. In In BlackHat USA, 2003.

[14]

Felix "FX" Linder. Cisco IOS Router Exploitation. In In BlackHat USA, 2009.

[15]

Andrea M. Matwyshyn, Angelos D. Keromytis Ang Cui, and Salvatore J. Stolfo. Ethics in security vulnerability research. IEEE Security and Privacy (Vol. 8, No. 2), 2010.

Digital Library

[16]

Michael Lynn. Cisco IOS Shellcode, 2005. In BlackHat USA.

[17]

Sebastian Muniz. Killing the myth of Cisco IOS rootkits: DIK, 2008. In EUSecWest.

[18]

Petko D. Petkov. Router Hacking Challenge, 2008. http://www.gnucitizen.org/blog/router-hacking-challenge/.

[19]

Patrick Traynor, Kevin R. B. Butler, William Enck, Patrick McDaniel, and Kevin Borders. malnets: large-scale malicious networks ia compromised wireless access points. Security and Communication Networks, 3(2--3):102--113, 2010.

[20]

Alex Tsow. Phishing with consumer electronics - malicious home routers. In Tim Finin, Lalana Kagal, and Daniel Olmedilla, editors, MTW, volume 190 of CEUR Workshop Proceedings. CEUR-WS.org, 2006.

Cited By

Yaben RLundsgaard NAugust JVasilomanolakis E(2024)Towards Identifying Neglected, Obsolete, and Abandoned IoT and OT Devices2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10558996(1-10)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10558996
Jois TPavlovich TMcCarron BKotz DPierson TStephenson BStone JBattestilli LRebelsky SShoop L(2024)Smart Use of Smart Devices in Your Home: A Smart Home Security and Privacy Workshop for the General PublicProceedings of the 55th ACM Technical Symposium on Computer Science Education V. 110.1145/3626252.3630925(611-617)Online publication date: 7-Mar-2024
https://dl.acm.org/doi/10.1145/3626252.3630925
Sasaki TNoma TMorii YShimura TEeten MYoshioka KMatsumoto T(2024)Who Left the Door Open? Investigating the Causes of Exposed IoT Devices in an Academic Network2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00117(2291-2309)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00117
Show More Cited By

Index Terms

A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan

Recommendations

Exploitation and threat analysis of open mobile devices
ANCS '09: Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems

The increasingly open environment of mobile computing systems such as PDAs and smartphones brings rich applications and services to mobile users. Accompanied with this trend is the growing malicious activities against these mobile systems, such as ...
Insecurity Refactoring: Automated Injection of Vulnerabilities in Source Code
Abstract
Insecurity Refactoring is a change to the internal structure of software to inject a vulnerability without changing the observable behavior in a normal use case scenario. An implementation of Insecurity Refactoring is formally explained to inject ...
An Empirical Study on the Insecurity of End-of-Life (EoL) IoT Devices
Researchers actively work on the security of Internet of Things (IoT) devices when IoT devices become popular. However, previous works ignore the insecurity about a special category of devices, i.e., the end-of-life (EoL) devices. Once a product becomes ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
768
Total Downloads

Downloads (Last 12 months)47
Downloads (Last 6 weeks)12

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yaben RLundsgaard NAugust JVasilomanolakis E(2024)Towards Identifying Neglected, Obsolete, and Abandoned IoT and OT Devices2024 8th Network Traffic Measurement and Analysis Conference (TMA)10.23919/TMA62044.2024.10558996(1-10)Online publication date: 21-May-2024
https://doi.org/10.23919/TMA62044.2024.10558996
Jois TPavlovich TMcCarron BKotz DPierson TStephenson BStone JBattestilli LRebelsky SShoop L(2024)Smart Use of Smart Devices in Your Home: A Smart Home Security and Privacy Workshop for the General PublicProceedings of the 55th ACM Technical Symposium on Computer Science Education V. 110.1145/3626252.3630925(611-617)Online publication date: 7-Mar-2024
https://dl.acm.org/doi/10.1145/3626252.3630925
Sasaki TNoma TMorii YShimura TEeten MYoshioka KMatsumoto T(2024)Who Left the Door Open? Investigating the Causes of Exposed IoT Devices in an Academic Network2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00117(2291-2309)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00117
Zhu YHong HWang W(2024)Privacy-Protected Contactless Sleep Parameters Measurement Using a Defocused CameraIEEE Journal of Biomedical and Health Informatics10.1109/JBHI.2024.339639728:8(4660-4673)Online publication date: Aug-2024
https://doi.org/10.1109/JBHI.2024.3396397
Alghamdi SFurnell SBagley S(2024)Towards a Harmonised Approach for Security and Privacy Management in Smart Home ContextsHCI for Cybersecurity, Privacy and Trust10.1007/978-3-031-61379-1_12(170-187)Online publication date: 1-Jun-2024
https://doi.org/10.1007/978-3-031-61379-1_12
Chen LWang HHou FLi BZhang W(2023)Research on the Security of Internet of Things Based on Microservices TechniquesProceedings of the 2023 3rd International Conference on Big Data, Artificial Intelligence and Risk Management10.1145/3656766.3656853(509-516)Online publication date: 24-Nov-2023
https://dl.acm.org/doi/10.1145/3656766.3656853
Ameer SBenson JSandhu R(2022)An Attribute-Based Approach toward a Secured Smart-Home IoT Access Control and a Comparison with a Role-Based ApproachInformation10.3390/info1302006013:2(60)Online publication date: 25-Jan-2022
https://doi.org/10.3390/info13020060
Mendez Mena DYang B(2020)Decentralized Actionable Cyber Threat Intelligence for Networks and the Internet of ThingsIoT10.3390/iot20100012:1(1-16)Online publication date: 30-Dec-2020
https://doi.org/10.3390/iot2010001
Yu MZhuge JCao MShi ZJiang L(2020)A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT DevicesFuture Internet10.3390/fi1202002712:2(27)Online publication date: 6-Feb-2020
https://doi.org/10.3390/fi12020027
Ogonji MOkeyo GWafula J(2020)A survey on privacy and security of Internet of ThingsComputer Science Review10.1016/j.cosrev.2020.10031238(100312)Online publication date: Nov-2020
https://doi.org/10.1016/j.cosrev.2020.100312
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents