Over 13,500 internet-connected storage devices have been exposed online by users who failed to set access passwords for them, it emerged last week.
The affected drives all use the Internet Small Computer Systems Interface (iSCSI), which is an implementation of the older SCSI interface that connected disk drives directly to computers.
iSCSI, which was standardised in 2000, enabled that protocol to operate over IP connections so that devices could connect to drives across local area networks, or wide-area connections including the general internet.
Today, people use iSCSI to connect to a range of devices including the kinds of network-attached storage (NAS) drives that you’d find in a small office, and larger banks of network storage devices in datacentres.
iSCSI is also a common way for computers to connect to virtual machines (VMs). These are software files containing entire operating systems that run on a thin layer of software rather than directly on a physical server, making it possible to run many of them on a single computer at once. VMs are the basis for modern cloud computing, which relies entirely on virtualised resources.
Here’s the problem with putting things on the internet, though: They’re usually easy to find and connect to. If you put something like an iSCSI device online and then fail to secure it with login credentials, it means that it’s publicly available for anyone to access.
A cybersecurity researcher using the name A Shadow discovered this and publicised it on Saturday 30 March 2019:
They found over 13,500 of these iSCSI devices exposed online, available for anyone to access and exposing the data that they held. This gives anyone successfully connecting to a drive complete freedom to download its contents, delete it, or alter it to insert malware.
Many of these iSCSI addresses belonged to private companies, the researcher added, making them prime targets for cybercriminals.
ZDNet verified A Shadow’s findings by searching for unprotected iSCSI devices on the IoT search engine Shodan. It found exposed devices from a variety of organisations, including a branch of a YMCA, a Russian government agency, and several universities and research institutes.
This isn’t an issue with the iSCSI protocol so much as with its implementation.
The users who install these devices should make efforts to secure them, although in many cases they won’t be aware that they need to.
This is where the second line of defence could come in. iSCSI-enabled device vendors could either force users to configure passwords before allowing them to connect to a network, or better still configure the devices with individual passwords out of the box.
California’s recently-passed IoT cybersecurity bill, SB-327, enforces just such a measure. It’ll be interesting to see if it has any effect in stopping mass exposures like this one.