How the 'largest IPv4 census ever' broke the law, but still respected user privacy

A fascinating, yet illegal, hacking project mapped global internet activity of nearly half-a-million devices without spying on them.

It started as a joke – “we should try the classic telnet login root:root on random IP addresses” – but it soon evolved into a massive, illegal project to hack into nearly half-a-million internet-connected devices solely for the purpose of mapping out global internet activity. The data would materialize as this fascinating .gif:

An anonymous hacker recently posted a research report, first reported by Motherboard, that explains how he and other researchers identified “several hundred thousand devices on the internet” then launched a botnet to gauge the frequency with which these devices accessed the internet.

After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand. Starting with one device and assuming a scan speed of ten IP addresses per second, it should find the next open device within one hour. The scan rate would be doubled if we deployed a scanner to the newly found device. After doubling the scan rate in this way about 16.5 times, all unprotected devices would be found; this would take only 16.5 hours. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour.

The report details both how the researchers composed this plan and the precautions they took to ensure the project respected the privacy of innocent, unsuspecting internet users. The first step in the design and implementation stage is aptly titled “Be Nice,” and reads as such:

We had no interest to interfere with default device operation so we did not change passwords and did not make any permanent changes. After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore. Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong. Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds. This limits the effective scanning speed to ~10 IPs per second per client. We also uploaded a readme file containing a short explanation of the project as well as a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project.

The researchers were also careful not to peek at what was traversing the web traffic it was measuring. Although that was a possibility, it was not the aim of the project, the report states:

We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks. We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users.

The result, according to the report, is “the largest and most comprehensive IPv4 census ever.” The researchers assured readers that “the binary stops itself after some time and most of the deployed versions have already done that by now.”

The map, however, isn’t an all-encompassing vision of the global internet. As Motherboard writer Adam Clark Estes pointed out, the data is limited to “Linux-based computers with a certain amount of processing power,” and only those with IPv4 addresses. Regardless, 420,000 devices is a large-enough sample size to get at least an interesting view of internet activity across the world.

The researchers themselves acknowledge that the data isn’t fully representative of the entire world. But even so, they claim to have reached their main goal in the process:

We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10