Quick Statistics on the Router Backdoor on Port 32764

As soon as the backdoor information was posted on github I got curious about how common the issue would be, so I added port 32764 to the list of ports that I survey. I had set it up and moved on to work on other things, but the topic came up again recently so I thought I’d take a quick look at the data and see what can be learned.

A lot of devices respond on port 32764, but the majority of them are going to be firewalls, random web servers or other shenanigans that have nothing to do with the backdoor. To only get results that mattered, I searched not just for port 32764 but also for the strings “scmm” and “mmcs” (the same value just w/ different endianness). At the time of writing there are 6,401 devices in Shodan that match the criteria for routers with the potential backdoor vulnerability.

Global Backdoor Exposure

Global Backdoor Exposure

It’s interesting that the US doesn’t lead the number of public devices, since in general it’s at the top for online devices. Instead, we see that Great Britain leads the charge with 2,228 devices followed by Italy with 1315. Both of those are a bit surprising and probably indicate a bias in the routers that are purchased/ sold in those regions (more on that later).

Organizational Breakdown

Top Organizations

The largest ISPs in the respective countries (based on market capitalization) are leading the charge in backdoored devices. The organization with the most devices is Telecom Italia, so I took a deeper look into the data in Italy. To do so I wrote a quick Python script to go through the first 1,000 results in Italy, see if they have a HTTP service running as well and if they do I extract the product information from the “realm” section of the header:


from collections import defaultdict
from shodan import Shodan

stats = defaultdict(int)

api = Shodan('YOUR API KEY')

results = api.search('port:32764 country:it mmcs OR scmm', limit=1000)
for result in results['matches']:
 host = api.host(result['ip_str'])

if 80 in host['ports']:
 # Get the port 80 banner
 banner = None
 for tmp in host['data']:
 if tmp['port'] == 80:
 banner = tmp
 break

if not banner:
 continue

# Extract the realm info
 start = banner['data'].find('realm="')
 if start <= 0:
 continue
 start += len('realm="')
 end = banner['data'].find('"', start + 1)
 name = banner['data'][start:end]
 stats[name] += 1

for key,value in stats.items():
 print '%s,%s' % (key, value)

The results of this quick breakdown are below:

Italy Backdoor

I don’t know whether this is a general product bias in Italy or whether Telecom Italia prefers those brands of routers, but Netgear DG834G appears the most popular router in Italy that also has a built-in backdoor. Similar breakdowns can be done for the other countries using a modified version of the above script, which I might do later on (mostly for Great Britain).

Compared to routers that advertise their default credentials (62,883) or old Microsoft IIS servers (5.0 is at 312,334), the total number of routers with a publicly exposed backdoor is very small (6,401). It will be interesting to see whether the service is exposed on other devices in different ways or whether this is the complete picture for the vulnerability’s risk to the Internet. Either way, this is how the data presents the situation at the moment and as things change I will update the information/ charts!

Advertisements

2 comments

  1. Richard

    Nice summary! In GB you will find many Netgear DG834 devices, too. However, when we did our last survey some weeks ago, most of them seemed to have been distributed by the “Shareband” broadband bonding service provider (these run a modified firmware “with Shareband Enhancements”). So a breakdown by ISP won’t make the right picture.

  2. Pingback: Cisco製の低価格ルータにバックドアの脆弱性 | ネットワークエンジニアを目指して - ブログ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s