What Happened When One Man Pinged the Whole Internet article tells about a home science experiment that probed billions of Internet devices reveals that thousands of industrial and business systems offer remote access to anyone. Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites).
310 million IP addresses turned out to devices which were safety defects or to permit anyone to manage them. 114000 vulnerable devices were part of a commercial or industrial system. Many came in with default passwords, and 13000 unit let in without asking for a password at all.
Moore believes the security industry is overlooking some rather serious, and basic, security problems by focusing mostly on the computers used by company employees. Many company’s IT systems have largely unknown and easily hackable backdoors. Those vulnerable accounts offer attackers significant opportunities, says Moore, including rebooting company servers and IT systems, accessing medical device logs and customer data, and even gaining access to industrial control systems at factories or power infrastructure.
Billy Rios, a security researcher who works on industrial control systems at security startup company Cylance, says Moore’s project provides valuable numbers to quantify the scale of a problem that is well-known to experts like himself but underappreciated by companies at risk. Rios says that in his experience, systems used by more “critical” facilities such as energy infrastructure are just as likely to be vulnerable to attack as those used for jobs such as controlling doors in a small office. “They are using the same systems,” he says
Many security problems are related to unsecured serial servers. Manufacturers of unsecured serial servers are not offended by those findings. They have tried to educate their customers on good security policy earlier, and they also sell services for secured connectivity.
Remember that HD Moore is not the only person scanning the Internet. Internet Census 2012: Port scanning /0 using insecure embedded devices article tells about dataset published by an anonymous hacker last month, gathered by compromising 420,000 pieces of network hardware. Also Cyber search engine Shodan exposes industrial control systems to new risks by making them easier to find (more on at at my Automation systems security issues posting).