OK, last post on shodan for a bit, i promise 🙂
So last year about this time we had Mirai attack Deutsche Telekom, getting 900K modems. And the attack was targeted specifically at Germany, bringing up the spectre of: why? Election tampering? Insider trading? Lots of things are possible when you get access to peoples modems. In that case, someone has been found, and he pled guilty, claiming he was paid $10K by a Liberian telecoms firm. Seems reasonable for sure. At that time, there was a *huge* number of devices online that had the TR-69 port open to the Internet. If 900K modems in germany could create a Terabit/s of trouble, imagine what the 14M in the US could do? It could be a big national security issue.
OK, back to Shodan. Lets take a common service, SMB. You might know it better as ‘Windows File Sharing’, and its how a lot of files are shared today in a corporate environment, but also in your home environment (got a NAS? a router that exposes storage to you?). SMB is also used for authentication and directory services.
Now, SMB was not designed with the idea of running on the wide-open Internet. It was more designed around the idea of you had 2 DOS computers in the same company, and wanted to use Interrupt 33 :). So I wonder, how much of it, particularly the vulnerable version 1, is on the Internet today? Lets do a quick search for “smb Authentication disabled”.
TOTAL RESULTS 623,520 TOP COUNTRIES United Arab Emirates 372,049 Brazil 37,920 United States 28,270 Argentina 23,563 Italy 18,991 TOP ORGANIZATIONS Emirates Telecommunications Corporation 369,114 Algar Telecom 31,975 Telefonica de Argentina 20,700 Vodafone Italia DSL 12,204 Philippine Long Distance Telephone 10,572 TOP OPERATING SYSTEMS Unix 571,694 Windows 6.1 25,467 QTS 5,816 Windows 5.1 2,771 Windows Server 2012 R2 Standard 9600 2,127 TOP PRODUCTS Samba 602,341
OK, that is shocking. But there is one super standout here, which is the UAE. 370K devices in the UAE (more than half of the ones in the world) are online, running SMB v1, with Authentication disabled.
Q: DIR-850L Security Advisory
A: D-Link Systems, Inc. — On September 8th, 2017, a news article reported zero-day flaws with D-Link DIR-850L routers. D-Link immediately took actions to investigate the issues and endeavors to solve them.
Firmware is NOW Available and can be downloaded for your particular hardware version (A or B) here- http://support.dlink.ca/ProductInfo.aspx?m=DIR-850L
OK, that is scary. What are the odds that all those people updated that quickly? (the answer is zero, because the recommendation is to disable the remote admin, which is what is showing up here in Shodan).
We can drill into just the UAE in shodan by appending country:AE to the search.
Now, a lot of consumer ISP’s block port 445. I don’t want to get into a network neutrality debate on that blocking. Best Current Practise 134 doesn’t take a position on blocking port 25 either, simply stating that you should not block port 587 (the newer better email port). But looking on some Google Search, I see a lot of ISP do block port 445, and Microsoft has a partial list. And doing so would be a pragmatic risk-reduction to this problem.
Now in this case, the problem vector is twofold:
- Whatever files the user has shared (sda1) are Internet facing, perhaps unexpectedly
- These are all running the same version of Samba, and, there are some CVE for it (I won’t provide the link here)
372K devices, running the identical software, in a single country, with a single common vulnerability, this is a lot of risk. And after WannaCry, we’d love to see less.
In the US, the FTC (Federal Trade Commission) filed charges against D-Link for failing to protect consumer privacy due to issues with the security of their routers and cameras. I wonder if the UAE has a similar agency? D-Link is also the same company that leaked their master firmware signing key (the private one).
One thing is for certain, we will likely hear of this again, hopefully not with a Mirai: Dubai Edition, but hopefully instead with a ‘mission accomplished’.