As soon as the backdoor information was posted on github I got curious about how common the issue would be, so I added port 32764 to the list of ports that I survey. I had set it up and moved on to work on other things, but the topic came up again recently so I thought I’d take a quick look at the data and see what can be learned.
A lot of devices respond on port 32764, but the majority of them are going to be firewalls, random web servers or other shenanigans that have nothing to do with the backdoor. To only get results that mattered, I searched not just for port 32764 but also for the strings “scmm” and “mmcs” (the same value just w/ different endianness). At the time of writing there are 6,401 devices in Shodan that match the criteria for routers with the potential backdoor vulnerability.
Global Backdoor Exposure
It’s interesting that the US doesn’t lead the number of public devices, since in general it’s at the top for online devices. Instead, we see that Great Britain leads the charge with 2,228 devices followed by Italy with 1315. Both of those are a bit surprising and probably indicate a bias in the routers that are purchased/ sold in those regions (more on that later).
The largest ISPs in the respective countries (based on market capitalization) are leading the charge in backdoored devices. The organization with the most devices is Telecom Italia, so I took a deeper look into the data in Italy. To do so I wrote a quick Python script to go through the first 1,000 results in Italy, see if they have a HTTP service running as well and if they do I extract the product information from the “realm” section of the header:
from collections import defaultdict from shodan import Shodan stats = defaultdict(int) api = Shodan('YOUR API KEY') results = api.search('port:32764 country:it mmcs OR scmm', limit=1000) for result in results['matches']: host = api.host(result['ip_str']) if 80 in host['ports']: # Get the port 80 banner banner = None for tmp in host['data']: if tmp['port'] == 80: banner = tmp break if not banner: continue # Extract the realm info start = banner['data'].find('realm="') if start <= 0: continue start += len('realm="') end = banner['data'].find('"', start + 1) name = banner['data'][start:end] stats[name] += 1 for key,value in stats.items(): print '%s,%s' % (key, value)
The results of this quick breakdown are below:
I don’t know whether this is a general product bias in Italy or whether Telecom Italia prefers those brands of routers, but Netgear DG834G appears the most popular router in Italy that also has a built-in backdoor. Similar breakdowns can be done for the other countries using a modified version of the above script, which I might do later on (mostly for Great Britain).
Compared to routers that advertise their default credentials (62,883) or old Microsoft IIS servers (5.0 is at 312,334), the total number of routers with a publicly exposed backdoor is very small (6,401). It will be interesting to see whether the service is exposed on other devices in different ways or whether this is the complete picture for the vulnerability’s risk to the Internet. Either way, this is how the data presents the situation at the moment and as things change I will update the information/ charts!