Shodan to assess a country’s risk

OK, last post on shodan for a bit, i promise 🙂

So last year about this time we had Mirai attack Deutsche Telekom, getting 900K modems. And the attack was targeted specifically at Germany, bringing up the spectre of: why? Election tampering? Insider trading? Lots of things are possible when you get access to peoples modems. In that case, someone has been found, and he pled guilty, claiming he was paid $10K by a Liberian telecoms firm. Seems reasonable for sure. At that time, there was a *huge* number of devices online that had the TR-69 port open to the Internet. If 900K modems in germany could create a Terabit/s of trouble, imagine what the 14M in the US could do? It could be a big national security issue.

OK, back to Shodan. Lets take a common service, SMB. You might know it better as 'Windows File Sharing', and its how a lot of files are shared today in a corporate environment, but also in your home environment (got a NAS? a router that exposes storage to you?). SMB is also used for authentication and directory services.

Now, SMB was not designed with the idea of running on the wide-open Internet. It was more designed around the idea of you had 2 DOS computers in the same company, and wanted to use Interrupt 33 :). So I wonder, how much of it, particularly the vulnerable version 1, is on the Internet today? Lets do a quick search for "smb Authentication disabled".

TOTAL RESULTS
623,520

TOP COUNTRIES
United Arab Emirates 372,049
Brazil                37,920
United States         28,270
Argentina             23,563
Italy                 18,991
TOP ORGANIZATIONS
Emirates Telecommunications Corporation 369,114
Algar Telecom                            31,975
Telefonica de Argentina                  20,700
Vodafone Italia DSL                      12,204
Philippine Long Distance Telephone       10,572
TOP OPERATING SYSTEMS
Unix                                    571,694
Windows 6.1                              25,467
QTS                                       5,816
Windows 5.1                               2,771
Windows Server 2012 R2 Standard 9600      2,127

TOP PRODUCTS
Samba                                    602,341

OK, that is shocking. But there is one super standout here, which is the UAE. 370K devices in the UAE (more than half of the ones in the world) are online, running SMB v1, with Authentication disabled.

Looking a bit more, they seem to be D-Link DIR-850L. Oh wait, weren't these the ones with that big security issue? Yes, here is their note. (and the article talking about 10 zero-day flaws!)

Q: DIR-850L Security Advisory

A: D-Link Systems, Inc. --- On September 8th, 2017, a news article reported zero-day flaws with D-Link DIR-850L routers. D-Link immediately took actions to investigate the issues and endeavors to solve them.

Firmware is NOW Available and can be downloaded for your particular hardware version (A or B) here- http://support.dlink.ca/ProductInfo.aspx?m=DIR-850L

OK, that is scary. What are the odds that all those people updated that quickly? (the answer is zero, because the recommendation is to disable the remote admin, which is what is showing up here in Shodan).

We can drill into just the UAE in shodan by appending country:AE to the search.

Now, a lot of consumer ISP's block port 445. I don't want to get into a network neutrality debate on that blocking. Best Current Practise 134 doesn't take a position on blocking port 25 either, simply stating that you should not block port 587 (the newer better email port). But looking on some Google Search, I see a lot of ISP do block port 445, and Microsoft has a partial list. And doing so would be a pragmatic risk-reduction to this problem.

Now in this case, the problem vector is twofold:

  1. Whatever files the user has shared (sda1) are Internet facing, perhaps unexpectedly
  2. These are all running the same version of Samba, and, there are some CVE for it (I won't provide the link here)

372K devices, running the identical software, in a single country, with a single common vulnerability, this is a lot of risk. And after WannaCry, we'd love to see less.

In the US, the FTC (Federal Trade Commission) filed charges against D-Link for failing to protect consumer privacy due to issues with the security of their routers and cameras. I wonder if the UAE has a similar agency? D-Link is also the same company that leaked their master firmware signing key (the private one).

One thing is for certain, we will likely hear of this again, hopefully not with a Mirai: Dubai Edition, but hopefully instead with a 'mission accomplished'.

Leave a Reply

Your email address will not be published. Required fields are marked *

*