We can spend a lot of time, in the security business, talking about the latest, sneakiest, most sophisticated attacks on computer security; besides being newsworthy, they are also frequently interesting in their own right, because of the insights they may give us. However, a recent article in Wired should remind us that we can’t forget about the most basic security measures. There is no point in putting a super-duper tamper resistant lock on your front door if you leave all the windows open.
A group of researchers at Columbia University’s Intrusion Detection Systems Laboratory has been conducting a survey of devices connected to the networks of the largest Internet service providers [ISPs] in North America, Europe, and Asia. They presented some preliminary results[PDF] of their work at a RAID 2009 symposium in June.
Researchers scanning the internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack. Their administrative interfaces are viewable from anywhere on the internet and their owners have failed to change the manufacturer’s default password.
Linksys routers had the highest percent of vulnerable devices found in the United States — 45 percent of 2,729 routers that were publicly accessible still had a default password in place.
Not surprisingly, residential users were most likely to have vulnerable devices, and enterprise customers least likely. The researchers did find some significant differences in the prevalence of vulnerabilities in different countries. In Japan, for example, 75% of the Linksys routers found were vulnerable; the corresponding figure for Canada was 60%, for India 57%, for France 34%, and for the USA 38%.
These are disturbing results. Much of the security approach taken for consumer products in the past has implicitly made the assumption that providing consumers with some basic information and tools is enough. These results, and the results of other research that show a high proportion of consumer PCs missing critical security updates, illustrate that this assumption is false. The average consumer is not a competent systems administrator, nor should (s)he have to be. I wrote a note recently about an attempt by Comcast to notify their customers whose systems apparently were infected with malware. I will not argue that this specific initiative is the best of all possible worlds, but I think efforts of that kind, by ISPs, are going to be needed to really make a significant dent in the PC security problem.