By Christian Stöcker and Judith Horchert
Just how big is the Internet? An anonymous hacker claims to have answered the question via effective but illegal means. The result is a fascinating reflection of online usage around the world.
Somewhere on this planet there is a hacker whose emotions are likely shifting between pride and fear. Pride, because he managed to do what no one else has managed. And fear, because it was illegal in almost every country in the world.
This person measured the Internet — the entire public network as it appeared in 2012. To achieve this Herculean task, the hacker illegally used a tool that utilized others’ computers across the globe.
The anonymous person simply wanted to find out how many devices that were online could be opened with the standard password “root,” he writes in a kind of research report on the project, entitled “Internet Census 2012.” The result was the discovery that there are hundreds of thousands of devices secured only with the most common standard password, or without any password at all.
One of the largest groups of devices he found were routers, an issue we recommend that readers address immediately. Routers received by Internet providers are likely to have one of a few standard administrator passwords, including “root” or “admin.” The router producers assume that users will change these passwords when they install them, but this rarely happens.
“As could be seen from the sample data, insecure devices are located basically everywhere on the Internet,” the hacker writes. He found over a million devices that were accessible worldwide, the “vast majority of them consumer routers or set-top boxes.” But there were also other types of devices, including “industrial control systems” and “physical door security systems.” The security risks that the hacker’s work exposes are dizzying.
Obviously Illegal
To clear up any confusion, this was not about wireless local area network (WLAN) passwords, which users presumably configure with their own passwords or those provided on the back of the router. The focus was on the standard administrator passwords with which one can access the router itself. This router interface for administrators is not supposed to be accessible from the Internet — but that often appears not to be the case, according to the hacker’s research.