The Internet of unsecured Things


Carna map

Courtesy of

Recently the Carna botnet found more than 1 million open (e.g. unprotected) embedded devices on the internet. Many of them were based on Linux and allowed login to BusyBox with empty or default credentials (e.g. root:root, admin:admin and both without passwords).

These unprotected devices included consumer routers, set-top boxes, IPSec and BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems and Cisco/Juniper equipment.

This botnet did not cause any damage, but with the Carna report being widely published it is only a matter of time, before other malicious botnets target specifically such open devices – in fact, the (anonymous) author of Carna found the Aidra bot already on one device he used.

And of course 1.2 million devices can’t and won’t be patched. It is an eyesore that won’t go away.

But the thing that bothers me most is the potential threat posed by the “real” Internet of Things that will (or is supposed) to come – aka your internet-enabled anything and everything.

How are we supposed to ride a motorbike, if we can’t even handle a bicycle?

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.