IoT search engines make it easy to find vulnerable devices, and that’s a problem

Two VMware vCenter Server vulnerabilities identified earlier this year illustrate why Internet of Things (IoT) search engines present both good solutions for and serious risks of weaponized exploits.

vCenter lets organizations automate and deliver virtual infrastructures across the hybrid cloud. And because a hack of vCenter enables threat actors to control the virtualization layer, this is a serious vulnerability for thousands of the largest organizations around the globe.

The first vulnerability identified was a remote code execution (RCE) in the vSphere HTML5 client vCenter plug-in. A day after VMware published this vulnerability on February 23, there were already two published exploits. By May 11, we saw a great deal of scanning by Necro Python Botnet, a cryptojacking malware.

The second vulnerability was disclosed by VMware on May 25 and relates to an RCE in the vSAN Health Check Plugin, which is enabled by default in all vCenter deployments. As such, unless organizations disabled the plug-in, they were vulnerable. By June 1, we saw a rapid uptick in scans following the online disclosure of the vulnerability details that could lead to weaponization of the exploit.

Not all scans are nefarious. There are good actors that continuously scan the Internet randomly to catalog vulnerabilities and assess the danger. Some turned those scanning activities into paying services, allowing businesses to easily assess their exposed services and threat surface. But in laying wide open all the vulnerabilities on the Internet, nefarious individuals can profit from them as well, easily and without investing in infrastructure or having in-depth technical knowledge.

Perhaps the three best known of these search engines are Censys, Shodan, and ZoomEye. Among the capabilities they offer are the ability for organizations to discover all their Internet-connected devices and view exposed devices so that they can be protected or disconnected.

But they’ve made it so easy to search for unprotected IoT devices (by geolocation, port/operating system, services/host, IP address, keyword search, etc.) that anyone — white hat, gray hat, or black hat — can uncover vulnerable devices.

Consider the Deep Web, which is not indexed by search engines. Even if your IP address doesn’t have a DNS entry, it will be registered somewhere. You might think that if you put a service out there and notify only select people of the IP address, it would be safe. But now, these IoT search engines scan the world not just on HTTP ports, but also SSH, SMTP, and RDP. In the case of HTTP and HTTPS, they also grab the response of the webpage.

To read the complete article, visit Dark Reading.