Millions of sensitive services exposed on the internet reveal most hackable countries

There are millions upon millions of systems on the internet that offer services that should not be exposed to the public network, and Rapid7 has determined which countries are the most exposed and therefore the most hackable.

Using Project Sonar, Rapid7 set out to understand the overall internet threat exposure in general and at a country level. In the new research paper, exposure is defined “as offering services that either expose potentially sensitive data over cleartext channels or are widely recognized to be unwise to make available on the internet.”

The report noted: “While there are 65,535 possible listening ports for every IP-addressable endpoint on the internet, we are concerned primarily with a sampling of the ‘most popular’ TCP ports on the internet.”

The researchers took the 30 “most popular” TCP ports and performed cross-country comparisons to come up with a National Exposure Index.

Below is a small sample of Rapid7’s findings.

The table on the left shows the top regions that have devices listening on all of the 30 most prevalent TCP services. There was no “double dipping,” as a node in the “30 ports exposed” category had all 30 scanned ports exposed and was not in any other port-count category.

The table on the right shows a small portion of the national exposure index, the most exposed nations with insecure services—the most hackable countries.

Notice that the U.S. has a ridiculously high number of devices listening on all 30 ports examined in this study, landing in the top spot with over 43 million servers or devices exposing every port combination in the Sonar study. Yet it ranked at 14 in the exposure table for offering insecure services. China had considerably fewer devices listening on 30 ports, over 11 million, yet came in fifth for most hackable country. It’s doubtful that many people taking a wild guess at the most exposed country would have said Belgium.

Rapid7 found a “correlation between the GDP of a nation, overall internet ‘presence’ in terms of services offered, and the exposure of insecure, cleartext services.” The report explained, “By surveying available services on the internet, and grouping by geolocated IP address, we can see that, in general, there is some correlation between internet connectivity and a region’s overall economic strength as expressed by GDP.”

Of the 30 ports scanned by Rapid7, below are the top 20 ports and protocols.

Sadly, most services are unencrypted even though it is possible to enable encryption on some of the protocols. Rapid7 called the lack of encryption for most services “worrisome for any standards or enforcement body charged with keeping up a reasonable security profile for an organization.”

HTTP, port 80 and HTTPS, port 443 make up a little less than a third of all the service ports on the internet. SSH is the third most-common service, with its insecure counterpart Telnet being the seventh most-common service. Rapid7’s scan found nearly 15 million devices still use Telnet services. Additionally, the report noted that “non-web-based access to email (via cleartext POP or IMAP protocols) is still the norm versus the exception in virtually every country.”

11.2 million nodes offer direct access to relational databases. The researchers’ scan counted 7.8 million MySQL databases and 3.4 million Microsoft SQL Server systems, but the study did not include ports for PostgreSQL and OracleDB.

“United States, China, Hong Kong, Belgium, Australia and Poland expose 75 percent of discovered Microsoft SQL nodes. Those same countries expose 67 percent of MySQL nodes,” according to the report.

Some of the facts in the full report, but you don’t see in the above sampling, include 5.4 million unencrypted Microsoft Remote Procedure Call services exposed via port 135. A whopping “4.7 million systems expose one of the most commonly attacked ports used by Microsoft systems, 445/TCP.” When scanning port 5000, 4.5 million Universal Plug and Play services were exposed, and another 4.5 million printer services were exposed via port 9100.

Rapid7’s National Exposure Index report concluded:

These results all speak to a fundamental failure in modern internet engineering. Despite calls from the Internet Architecture Board, the Internet Engineering Task Force, and virtually every security company and security advocacy organization on Earth, compulsory encryption is not a default, standard feature in internet protocol design. Cleartext protocols “just work,” and security concerns are doggedly secondary.

This state of affairs cannot last for much longer without dire consequences for the world’s largest economies. It is difficult to imagine a future where healthy, robust economies make less use of the internet, rather than more. Recall that since the internet was effectively standardized on TCP/IP in 1982, 40 percent of the world’s population now uses the internet directly on a regular basis, and virtually everyone is indirectly dependent on the internet’s functionality.

The internet is far too important an engine of economic growth and stability to leave to legacy, security-optional services. With the race towards an IoT-dominated future well underway, we must rethink how we design, deploy, and manage our existing infrastructure.

You can grab a copy of the report here and read Rapid7’s blog post about the new research here.