Mapping the Internet: A Hacker's Secret Internet Census
Just how big is the Internet? An anonymous hacker claims to have answered the question via effective but illegal means. The result is a fascinating reflection of online usage around the world.
Somewhere on this planet there is a hacker whose emotions are likely shifting between pride and fear. Pride, because he managed to do what no one else has managed. And fear, because it was illegal in almost every country in the world.
This person measured the Internet -- the entire public network as it appeared in 2012. To achieve this Herculean task, the hacker illegally used a tool that utilized others' computers across the globe.
The anonymous person simply wanted to find out how many devices that were online could be opened with the standard password "root," he writes in a kind of research report on the project, entitled "Internet Census 2012." The result was the discovery that there are hundreds of thousands of devices secured only with the most common standard password, or without any password at all.
One of the largest groups of devices he found were routers, an issue we recommend that readers address immediately. Routers received by Internet providers are likely to have one of a few standard administrator passwords, including "root" or "admin." The router producers assume that users will change these passwords when they install them, but this rarely happens.
"As could be seen from the sample data, insecure devices are located basically everywhere on the Internet," the hacker writes. He found over a million devices that were accessible worldwide, the "vast majority of them consumer routers or set-top boxes." But there were also other types of devices, including "industrial control systems" and "physical door security systems." The security risks that the hacker's work exposes are dizzying.
To clear up any confusion, this was not about wireless local area network (WLAN) passwords, which users presumably configure with their own passwords or those provided on the back of the router. The focus was on the standard administrator passwords with which one can access the router itself. This router interface for administrators is not supposed to be accessible from the Internet -- but that often appears not to be the case, according to the hacker's research.
When the hacker's scanning bot found a router or other device with an open door and favorable conditions, it would upload a copy of itself, and from there, conduct further scans on other devices, thus growing exponentially larger. After just one day, the hacker writes that he had some 100,000 devices under his control -- the nucleus of his "Carna Botnet," named after the Roman goddess of internal organs and health, who was later associated with doorsteps and hinges.
In total, the Carna Botnet utilized some 420,000 devices to conduct a swift Internet census as the routers that had been taken over pinged IP addresses and waited for answers. If a device answered, it was included in the count. Deploying this kind of botnet -- defined as a group of Internet-connected programs that communicate with each other -- is obviously illegal. Botnets are often used to send spam or carry out denial of service attacks.
But Carna was used only for counting, and the 420,000 devices were not available all at once. Each time one was shut down and restarted, the Carna Botnet flushed itself from the hardware and had to be reinstalled during the next scan.
A Message for Law Enforcement
The hacker wanted to ensure that his illegal research project did as little damage as possible. "We had no interest in interfering with default device operation so we did not change passwords and did not make any permanent changes," he writes. "After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore." The botnet also uploaded a file to each device with information on the project and a contact email address "to provide feedback for security researchers, ISPs and law enforcement who may notice the project."
The planted software was created to be undetectable and use as few resources as possible. "We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users," the hacker writes.
The hacker also says that he removed a criminal botnet called Aidra from many of the devices that Carna took over. Carna blocked Aidra from all of the devices that it was present on -- but only until the next restart.
Laying Internet Security Failures Bare
But owners of the devices tapped into by Carna may not regard the project as harmless, even if the hacker's intentions appear to be so. He put the entire data set created by his Internet census online, inviting IT security researchers, intelligence agencies and organized criminals alike to interpret it, though the billions of data points will probably take months to yield more exact findings. But certain data sets include information about which software is running on scanned devices, and which ports react in which way to certain kinds of contact attempts. This could save spies and criminals looking for weak points a lot of work.
At the same time, the Carna hacker's daring exploit makes it painfully clear just how enormously unsafe the Internet is at many points, and could encourage change.
So what were the actual results of the Internet census? How many IP addresses were there in 2012? "That depends on how you count," the hacker writes. Some 450 million were "in use and reachable" during his scans. Then there were the firewalled IPs and those with reverse DNS records (which means there are domain names associated with them). In total, this equalled some 1.3 billion IP addresses in use.
The number is in accord with what renowned security expert HD Moore, the CEO at vulnerability testing company Rapid7, legally came up with last year. Moore told IT news site ArsTechnica that the Carna project's findings appear to be "pretty accurate."
The last large Internet census, the "Internet Protocol Version 4 Census" (IPv4) in 2006, revealed some 187 million visible IP addresses. In other words, the Internet is growing rapidly, even if these numbers are a bit hazy.
The Last Snapshot?
It's important to note that these numbers do not indicate the number of computers that are online. Behind every IP address there are several, sometimes dozens or even hundreds of devices. The data also reveals nothing about the size of these intranets. Carna could only see the access computers on the public Internet.
The Internet Protocol version 4 is still valid, and routes Internet traffic to some 4.3 billion addresses, of which a number are reserved for special uses. Carna's creator estimates that some 2.3 billion IP addresses are inactive under IPv4, as they were before. The introduction of IPv4's replacement, IPv6, has already long been underway, however. The latest IP version will increase the number of addresses so radically -- encompassing some 340 sextillion (a sextillion has 36 zeros) -- that similar scans will hardly be possible. That means the illegal Carna scan is probably the last snapshot of the IPv4 Internet.
So why did the Carna hacker do it? "I saw the chance to really work on an Internet scale, command hundreds of thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the Internet in a way very few people ever will," he writes.
© SPIEGEL ONLINE 2013
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH