A computer researcher wanted to map all 3.6 billion of the Internet’s usable IPV4 IP addresses, to see which ones are actually being used and to determine where the devices are physically located. This would be quite a task for a single computer, so he created a botnet with 420,000 zombie devices to do the task for him. What I find most interesting, however, is how he managed to compromise those devices. He simply tried to connect to each one with the following four username/password combinations:
No kidding. That’s all it took.
For the more technically minded, the paper says that “the vast majority of all unprotected devices are consumer routers or set-top boxes.” So just for kicks, I telneted to my router and found that the admin/admin combination worked. Fortunately it’s configured such that remote telnet is disabled—so I was not part of this experiment. The paper goes on to say that the 420,000 number is for the devices they turned into zombies, and that the actual number of vulnerable machines is about four times that many.