We Need to Talk About Open/Exposed Ports
Introduction
There is a disturbing amount of devices that are connected to the internet and have ports open to the world that should not be open. We are at a time where the world is the most connected it has ever been. You can jump on the internet and play a game with someone from the opposite site of the world. You can watch a YouTube series that was made in a small town in Ontario, Canada (Letterkenny Problems) while on a boat in the middle of the ocean. You can meet people online that you relate to or have common interests with, even though you may live in an area that isn’t friendly to who you are.
All of these things that the internet provide. This makes me think of a song called “Welcome to the Internet” by Bo Burnam. It’s a song from his musical/documentary called “Inside” that was made during the height of the Covid Pandemic.
“Could I interest you in everything?
All of the time?
A little bit of everything
All of the time”
Ok, but what does any of this have to do with these “open/exposed ports.” I guess I did get a little off track and definitely didn’t stop writing to listen to that song again. Anywho, let me start by explaining what a port is and what is means when it’s open. Let’s get into it.
What Are Ports?
Non-Technical Explanation
Imagine your computer is like a large office building. Each room in the building has a specific function, like a bedroom, a kitchen, or an office. Ports are like the doors to these rooms. They allow different types of communication to happen between your computer and other devices. For example, one door might be for sending emails, another for browsing the internet, and another for printing documents. When these doors (ports) are left open, anyone can potentially walk in and access the room, which can be risky if not properly managed.
Technical Explanation
A port is a logical construct that identifies a specific process or type of network service. Ports are used by the Transport Layer protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) to direct packets to the appropriate application or service running on a device. For instance:
HTTP (HyperText Transfer Protocol) uses port 80 and is the foundation of data communication on the web.
HTTPS/SSL (HyperText Transfer Protocol Secure / Secure Sockets Layer) uses port 443 and is the secure version of HTTP. It encrypts data to ensure secure communication. However, since port 443 handles SSL traffic, it is also commonly used for encryted VPN traffic.
SMTP (Simple Mail Transfer Protocol) uses port 25 for sending emails.
SMB (Server Message Block) typically uses port 445 for file sharing and network communication. Devices that use SMB include Windows PCs and servers, NAS (Network Attached Storage), and even printers. If you’ve ever used a “mapped drive” or “network drive” on your Windows computer, you’ve used SMB.
RDP (Remote Desktop Protocol) uses port 3389 to allow remote access to a computer. Devices you would use RDP on are typically Windows PCs and servers.
SSH (Secure Shell) uses port 22 for secure remote login and other secure network services. This is typically used for remote access to Linux devices, which includes a large bulk of (if not all) networking and IoT devices such as switches, access points, smart lights, security cameras, industrial/manufacturing sensors, and so much more.
Risks Associated with Open/Exposed Ports
Now that I’ve explained what a port is, and given some examples of what types of services and what ports they use, why is it an issue if some of these are open to the internet? Let me breakdown some of the ways these open ports could be exploited.
Unauthorized Access: Open ports can serve as entry points for hackers to infiltrate your network. For example, an open RDP (port 3389) can allow attackers to gain remote access to a computer, potentially leading to unauthorized control and data theft.
Malware Infections: Exposed ports increase the likelihood of malware entering your network. For example, SMB (port 445) was exploited by the WannaCry ransomware to spread across networks, causing widespread disruption.
Denial of Service (DoS) Attacks: Attackers can target open ports to overwhelm your network with traffic, rendering it unavailable to legitimate users. An open HTTP (port 80) can be used to launch DoS attacks on web servers, disrupting access to websites. Some network devices will have an web interface on port 80, if a DoS attack was to hit a firewall web interface it could overload the firewall which would bring traffic to a snail’s pace.
Data Exfiltration: If an attacker gains access through an open port, they can easily exfiltrate sensitive data without your knowledge. An open SMTP (port 25) can be exploited to send out large volumes of sensitive information via email. Similarly, an open SMB (port 445) can be used to transfer sensitive files out of the network.
Compromised Devices: Open ports can allow attackers to compromise individual devices on your network. For example, an open SSH (port 22) can be targeted for brute-force attacks, leading to unauthorized access and control of IoT devices.
Exploitation of Unpatched Vulnerabilities: Services running on open ports may have unpatched vulnerabilities that attackers can exploit. For instance, HTTPS/SSL (port 443) can be vulnerable to SSL/TLS exploits like Heartbleed if not properly patched.
Increased Attack Surface: Every open port expands the attack surface of your network, increasing the chances of a breach. Reducing the number of open ports minimizes potential entry points for attackers. For example, limiting access to SMB (port 445) and RDP (port 3389) can significantly reduce the risk of network breaches.
You can click the images below to make them bigger. To close out of the bigger picture, there will be an X in the top right.
Case Studies, Examples, and Statistics
Shodan is a search engine that scans the internet for connected devices and services. Unlike traditional search engines that index web pages, Shodan indexes information about devices such as desktops, laptops, servers, network devices, and more. It collects data on open ports, services running on those ports, and various other details about the devices it finds. This makes Shodan a valuable tool for security researchers and IT professionals to understand the exposure and vulnerabilities of devices connected to the internet.
Using Shodan, I have gathered statistics on open ports to illustrate the prevalence and risks associated with exposed ports. These statistics provide insights into how common certain open ports are and highlight potential security concerns.
In this section I’m going to breakdown some of my findings and statistics that I have pulled together from this research. I have redacted any information that could be used by bad actors.
Case Studies and Examples
Heartbleed Vulnerability (April 2014)
The Heartbleed bug was a critical vulnerability in the OpenSSL cryptographic software library, discovered in April 2014. It allowed attackers to read sensitive data from the memory of affected servers, including usernames, passwords, and private keys. Here are some key details and statistics:
Attack Details
Discovery: The vulnerability was independently discovered by researchers from Google Security and Codenomicon.
Scope: At the time of its discovery, Heartbleed affected approximately 17% of all SSL servers, including major sites like Yahoo.
Severity: The bug was considered catastrophic, with security expert Bruce Schneier rating it an 11 on a scale of 1 to 10.
Exploitation: While it's unclear if the vulnerability was exploited in the wild before its discovery, the potential for data leakage was significant.
Impact
Affected Servers: Approximately 17% of all SSL servers were vulnerable.
Long-Term Exposure: Even years after its discovery, a significant number of servers remained vulnerable due to slow patching.
WannaCry (May 2017)
The WannaCry ransomware attack was a significant global cyberattack that occurred in May 2017. It targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in Bitcoin. Here are some key details and statistics:
Attack Details
Propagation: WannaCry spread using an exploit called EternalBlue, which was developed by the NSA and leaked by a group known as The Shadow Brokers. This used an exploit in SMB on port 445.
Financial Damage: The total damages were estimated to range from hundreds of millions to billions of dollars.
Notable Incidents: The attack caused significant disruptions, including the temporary shutdown of several factories of Taiwan Semiconductor Manufacturing Company (TSMC) in August 2018.
Impact
Global Reach: The ransomware affected more than 200,000 systems in over 150 countries.
High-Profile Targets: Major organizations such as the UK's National Health Service (NHS), Renault, and FedEx were among those hit.
Operational Disruption: The attack led to widespread operational disruptions, particularly in healthcare and manufacturing sectors.
Maritime Cybersecurity Incident (April 2024)
In April 2024, a coordinated cyberattack targeted several key maritime ports and vessels worldwide, causing widespread disruption. The attackers exploited vulnerabilities in the Automatic Identification Systems (AIS), which often have open ports for communication.
Attack Details
Targeted Systems: The attack focused on AIS, a crucial system that enables ships to broadcast their identity, position, speed, and other navigational data to nearby vessels and coastal authorities.
Exploited Ports: The attackers used open ports on AIS to manipulate navigation data, leading to substantial delays, misrouted cargo, and increased risk of collisions and grounding.
Impact
Global Disruption: Key ports across Europe, Asia, and North America reported extensive delays. Major shipping companies had to reroute vessels and suspend certain operations temporarily.
Financial Losses: The financial impact was catastrophic, with losses exceeding $500 million.
Data Compromise: Sensitive data, including cargo manifests and operational logs, was compromised.
Statistics
Affected Vessels: Over 1,800 vessels were targeted in the first half of 2024.
Ransom Demands: The average ransom demand in these attacks typically ranged around $3.2 million per affected entity.
Operational Events: The Port of Rotterdam experienced a near-complete shutdown of its automated systems, leading to massive backlogs and delays.
IoT Device Exploitation (May 2024)
In May 2024, Microsoft uncovered a significant cyberattack targeting internet-facing IoT devices and Linux-based systems. The attackers leveraged custom and open source tools to exploit open ports, particularly SSH (port 22), to gain unauthorized access and deploy malicious software.
Attack Details
Targeted Devices: The attack focused on IoT devices and Linux-based systems, which are commonly used in various industries, including manufacturing, healthcare, and smart home environments.
Exploited Ports: The primary port exploited was SSH (port 22), which is used for secure remote login and other network services.
Methodology: Attackers used internet scanning tools to identify devices with open SSH ports. Once identified, they deployed a patched version of OpenSSH to allow root login and hijack SSH credentials.
Impact
Scope: The attack affected thousands of devices globally, highlighting the widespread vulnerability of internet-exposed IoT devices.
Consequences: Compromised devices were used to launch further attacks, including data exfiltration and network disruption.
Statistics
Increase in IoT Vulnerabilities: The number of vulnerabilities in IoT devices expanded by 136% from the previous year.
Risk Assessment: IoT devices with open ports were identified as among the riskiest connected devices in 2024.
Statistics
Using Shodan, I gathered data on the prevalence of open ports across various devices connected to the internet. These numbers can only indicate how many devices Shodan has found with these ports, so we cannot use these as definite numbers. These numbers could be higher, we just don’t have proof of that. Here are some key findings:
Open Ports
Remote Desktop Protocol (Port 3389): 3,454,773 instances
Top 5 Countries:
United States: 986,492
China: 885,012
Singapore: 210,271
Germany: 181,166
United Kingdom: 107,941
Though the default port for RDP is 3389, I found devices also using ports 3388 and 443 for Remote Desktop Protocol.
Since port 443 is a secure channel, it did encrypt information about the connection and the device so that you cannot see details such as which operating system it is using, computer name, domain name, and connected users.
Server Message Block (Port 445): 1,496,708 instances
Top 5 Countries
United States: 600,158
Pakistan: 90,225
Russia: 71,899
Hong Kong: 70,232
Germany: 70,122
Of the 1.4 million instances, 209,083 of those had authentication disabled. Of those 178,264 were running on SMB version 1.
Of the 1.4 million instances, 130,696 of them were running a Unix based operating system.
Geographical Distribution
Cities with Most Open Ports:
Kansas City: 977,890
Mountain View: 224,092
Redwood City: 101,959
San Jose: 91,010
Los Angeles: 73,282
Organizations with the Most Open Ports
Top Organizations:
Google LLC: 1,195,911 instances, this includes residental and commercial Google Fiber and Google Cloud services.
Incapsula Inc: 106,219 instances, a cloud-based application delivery platform that often uses open ports for web applications.
Microsoft Corporation: 71,733 instances, this includes Azure services that businesses have deployed in their tenant. This likely means there are a large number of businesses that SHOULD be on this list, but aren’t, because Microsoft owns Azure.
PEG TECH INC: 42,086 instances, a hosting provider that supports various online services.
Amazon Technologies Inc: 18,919 instances, including AWS services. The same caveat I used under Microsoft applies here since Amazon owns AWS.
Vulnerabilities
Common Vulnerabilities Seen:
SMBv3 Remote Code Execution (including CVE-2020-0796): 40,851 instances, a vulnerability that allows attackers to execute arbitrary code on vulnerable systems using SMB (port 445) due to a vulnerability in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. This vulnerability allows attackers to execute arbitrary code on the target server or client.
BlueKeep: 2,398 instances, a critical vulnerability in RDP (port 3389) that allows remote code execution on unpatched systems.
EternalBlue: 330 instances, a vulnerability in SMB (port 445) exploited by the WannaCry ransomware.
CVE-2021-23017: A security issue in the nginx resolver that allows a 1-byte memory overwrite, potentially leading to more severe exploits.
CVE-2021-3618: The ALPACA attack, which exploits TLS servers implementing different protocols, allowing cross-protocol attacks.
Tags
Common Tags:
Cloud: 1,128,386 instances, indicating devices hosted in cloud environments. This one is especially shocking to me as I served in my previous employment as a Lead Cloud Engineer. I cannot imagine deploying a cloud environment, paying the monthly invoice, and opening up that environment to potential bad actors. That number was staggering to see on my screen…
Self-signed: 387,197 instances, indicating the use of self-signed SSL certificates.
CDN: 114,549 instances, indicating content delivery network services.
eol-os (end-of-life operating systems): 51,075 instances, indicating devices running unsupported operating systems.
eol-product (end-of-life products): 638 instances, indicating devices using outdated and unsupported products.
Operating Systems
Top Operating Systems:
Windows Server 2022 (build 10.0.20348): 121,576 instances, a modern server operating system with open ports for various services.
Windows 10 (build 10.0.17763): 88,993 instances, a common build of Windows from November 2018 with open ports for remote access and file sharing.
Windows Server 2012 R2 Datacenter 9600: 63,699 instances, an older server operating system still in use with open ports. Windows Server 2012 R2 reached End of Life in October of 2023. It enters the Extended Security Update Year 3 in October 2025 and will run until October 2026, where it will no longer receive any security updates.
Windows 10 (build 10.0.19041): 45,130 instances, another common build of Windows from May 2020 with open ports.
Windows 10 (build 10.0.14393): 43,623 instances, an older build of Windows from August 2016 with open ports.
SSL Insights
SSL/TLS Versions:
tlsv1.2: 386,614 instances, the most widely used version of SSL/TLS.
tlsv1: 360,399 instances, an older version of SSL/TLS still in use.
tlsv1.1: 359,476 instances, another older version of SSL/TLS.
Concluion
Open ports on internet-connected devices present significant security risks that cannot be ignored. As we have seen through various case studies and statistics, these vulnerabilities can lead to unauthorized access, malware infections, denial of service attacks, data exfiltration, and compromised devices. High-profile incidents like the WannaCry ransomware attack, the Heartbleed vulnerability, the IoT device exploitation, and the Maritime Cybersecurity Incident highlight the critical need for increased security measures.
By understanding the nature of ports and the risks associated with leaving them exposed, IT professionals and organizations can take proactive steps to secure their networks. Regular port scanning, proper firewall configuration, timely patch management, and network segmentation are essential practices to mitigate these risks.
The data gathered from Shodan underscores the prevalence of open ports and the potential vulnerabilities they introduce. With millions of devices exposed, it is imperative to prioritize cybersecurity and protect against potential threats.
In conclusion, the convenience and connectivity provided by the internet is invaluable, but they come with inherent risks. By understanding the vulnerabilities associated with open ports and taking steps to mitigate them, we can protect our data and maintain the integrity of our digital lives. As technology continues to evolve, so too must our approach to cybersecurity. It is crucial to stay informed and vigilant, ensuring that our devices and networks are safeguarded against potential threats.
If you have any questions, need assistance, or want to schedule an assessment, feel free to reach out. Stay safe and secure!
