The insecure devices were grouped by CPU and RAM, and the botnet binary was only deployed on systems that were likely to represent widespread consumer-grade devices and not industrial control or mission critical systems.
The 420,000 devices the botnet client eventually ran on represented about 25 percent of all unprotected devices found. The researcher collected MAC addresses -- unique hardware identifiers assigned to network interfaces -- for all unprotected devices and identified about 1.2 million of them.
"A lot of devices and services we have seen during our research should never be connected to the public Internet at all," the researcher said. If you believe that nobody would ever connect a certain type of device to the Internet, there are probably at least 1,000 people that did it, he said. Similarly, if you think that you'll only find a few instances of certain devices that shouldn't normally be connected to the Internet, there will probably be a few hundred thousands of them, "like half a million printers, or a million webcams, or devices that have 'root' as a root password," he said.
"We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high-class exploits and cyber war, four simple, stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world," the researcher said.
The potential for malicious use of such devices is high, the researcher said via email. In fact, while deploying the Carna botnet, he found a DDoS (distributed denial-of-service) bot called Aidra that was already running on thousands of the open devices.
He then decided to make some changes to devices infected by his own botnet client in order to prevent Aidra infections. "Since we did not change anything permanently, restarting the device undid these changes," he said. "We figured that the collateral damage as a result of this action would be far less than Aidra exploiting these devices."
In time, the Carna botnet gained systems that Aidra lost and kept the malicious bot out of them, except for around 30,000 devices running on the MIPS platform where Aidra permanently installed itself, the researcher said.
Devices running embedded operating systems provide a huge potential for cyber crime activities, said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "They are rarely using any intrusion detection mechanism, despite the fact that they have the technical capabilities to run malware. These highly specialized appliances are in fact computers; what differs is the software running on them."
The fact that this researcher found a malicious botnet already running on these devices is proof that bad things are already happening in the embedded world, but they often go unnoticed because there are no mechanisms to detect them, Botezatu said.
"The fact is that the state of security on thousands of Internet-connected devices is lower than one would assume," Schloesser said. "Finding another botnet on a subset of these devices is not surprising at all -- other research showed the very concerning state of security on the public internet in the past as well."
In January, security researchers from Rapid7 published research showing that tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs and more could be attacked over the Internet because of dangerous flaws in their implementation of the UPnP (Universal Plug and Play) protocol standard.