Hundreds of thousands of internet-accessible devices manufactured Chinese telco ZTE have been found with default or hardcoded usernames and passwords.
The devices were discovered as part of a probe by AusCERT researcher Parth Shukla into the huge datasets provided by the Carna botnet used to map the so-called Internet Census.
The census was a scan of all allocated IPv4 addresses published in a study in released in March by an anonymous researcher. It used the Carna botnet of some 420,000 embedded and publicly-accessible online devices that used default credentials to run scans that counted some 3.7 billion IP addresses in use.
A tiny binary file was uploaded to vulnerable devices that contained a Telnet scanner that brute-forced credentials at other IPv4 devices over on port 23, and another that contained code to assign scan ranges and return results.
Shukla was given exclusive access by the anonymous author to the sensitive data collected in the project.
His analysis, presented at AusCERT Sydney, found that Chinese manufacturers were responsible for the lion's share of all affected devices. (pdf)
ZTE topped the charts accounting for 28 percent of all affected devices worldwide, or 353,436 units. Portuguese outfit SMD informatica sa came in second with nine percent (109,406) of all devices followed by Chinese-based Shenzhen Gongjin Electronics Co with eight percent (108929) of devices.
Shukla has provided regional data sets to computer emergency response teams around the world and contacted affected manufacturers in a bid, via coordination through the Institute of Electrical and Electronics Engineers (IEEE), to prevent further production of vulnerable devices.
ZTE did not respond to his requests and its Shenzhen headquarters did not immediately reply to an inquiry by SC.
"The Turkish manufacturer AirTies is the only manufacturer that responded to my invite to collaborate through the IEEE," Shukla said.
"I have given them a sanitised copy of just the AirTies data so they can locate their exact devices. I haven’t heard from them since."
Shukla turned to the IEEE after struggling to find security contacts with the affected manufacturers required to draw attention to the vulnerable devices.
"... Against their normal policy, [they] contacted the top 20 or so manufacturers on my behalf and requested them to contact me to obtain relevant data and information," Shukla said.
Chinese manufacturers dominated the top 20 organisations listed in Shukla's analysis. Other household names included Dlink Corporation that had two percent (20,139) of the vulnerable device pool, and Sony with one percent (17,042) of devices.
His dataset revealed China had 56 percent (720,141) of the 1.2 million vulnerable devices, the largest amount globally, with one affected device for every 456 IP addresses and 1.79 subnets. Hong Kong followed with seven percent (91,453) of affected devices and third Turkey with 87,815 vulnerable devices.
Strikingly it would take a mere 45 seconds to find an affected device in China by scanning the IPv4 address space, and a mere 13 seconds to find the first device in Hong Kong. Worldwide, it would take five minutes.
Australia was unsurprisingly a blip by comparison. Only 1614 devices were located in Australia, equating to a 49 minute wait to scan and detect the first device. New Zealand harboured 201 vulnerable devices taking 57 minutes to find the first device.
Nonetheless, Shukla has contacted the CERTs at the top Aussie telcos representing about 83 percent of all connections in a bid to prevent the manufacture of vulnerable devices.
He has recieved at best that telcos including Telstra, TPG, Optus, iiNet and M2 were "looking at it".
"Unfortunately, all my attempts to get more info has failed."
Shukla told the telcos that the data he provided would enable the organisations to determine if they sold affected devices. He wrote that the ultimate goal over the next two years was to stop affected devices being sold if they had unnecessary Telnet instances running by default and did not enforce password changes for the service, and did not contain adequate documentation informing users of the Telnet function.
"Achieving this goal will not remove or patch existing devices already in use but hopefully overtime with equipment change, the number of vulnerable devices in Australia will decrease further.”
He said telcos blocking port 23 by default would be the "easiest way to deal with the Telnet default cred problem".
Contact Shukla at pparth at auscert.org.au.