The UpGuard Cyber Risk team can now report that 73 gigabytes of downloadable data belonging to Washington-based internet service provider Pocket iNet was publicly exposed in a misconfigured Amazon S3 storage bucket. According to their website, Pocket iNet “makes use of bleeding edge and emerging technologies such as native IPv6, Carrier Ethernet and local fiber to the premise delivering the highest possible service levels to connected customers."
Among the data exposed were lists of plain text passwords and AWS secret keys for Pocket iNet employees, internal network diagramming, configuration details, and inventory lists, and photographs of Pocket iNet equipment, including routers, cabling, and towers.
The Discovery
On October 11th, 2018, the UpGuard Cyber Risk team discovered a publicly exposed bucket named “pinapp2” containing 73 gigabytes of data. Analysis revealed spreadsheets, pictures, and diagrams belonging to Washington-based internet service provider (ISP) Pocket iNet.
UpGuard first notified Pocket iNet that same day via phone and email. Pocket iNet was able to confirm the exposure during that initial call. However, seven days passed before Pocket iNet finally secured the exposure. Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset. Internet service providers have been designated as part of the US Critical Infrastructure and represent a prime target for adverse nation-state threat groups . Finally, on October 19th the exposure was secured, preventing the exploitation of this data from any future malicious activity.
Misconfigured Amazon S3 storage is responsible for many large scale unintentional data exposures. Although buckets are private by default, accidental or misinformed changes to the bucket’s access control list (ACL) can make the contents visible to the internet at large just by navigating to the bucket URL. Our article on properly securing Amazon S3 resources can be found here.
The Contents
Although the “pinapp2” bucket itself was exposed to the internet, not all of the bucket contents were downloadable. However, relying on file or folder-level permissions to secure items in a public bucket is always risky, because one missed ACL permission and an exposure can occur. In the case of Pocket iNet, a folder called “tech” was left downloadable within the bucket, and this folder contained sensitive information.
Plain Text Passwords
Most damaging were several lists of plain text passwords to various resources belonging to Pocket iNet employees. Among the devices and services listed in these documents are firewalls, core routers and switches, servers, and wireless access points.
Nearly all of these accounts were named "root" or "admin," meaning that these credentials likely offer full access to read and modify the assets to which they pertain. The malicious potential should these credentials fall into the hands of a bad actor is extremely high, creating risk for the entire Pocket iNet network infrastructure. Exposing files like this offers up the keys to the kingdom, but in truth, such files should not exist in any form. Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business.
Best practices would prevent such documents from being created at all. If such documents must exist, they should be strongly encrypted and stored in a known secure location. IT shops who possess such documents should ask themselves what about their processes and resources makes them necessary in the first place, and work to a better solution so that critical information isn’t centralized in such a dangerous manner.
Configuration Details and Inventory
In addition to the passwords and keys exposed by Pocket iNet, configuration details for broadcast and backbone network devices were also present in the downloadable “tech” folder. These configuration details enumerate important information about Pocket iNet’s operations.
Even without the exposed passwords, this kind of large scale configuration data can be dangerous. However, with the inclusion of plain text passwords to some of these devices, this exposed data set may give a malicious actor everything they need to disrupt, exploit, or otherwise modify network operations.
Photographs and Other Data
The “tech” directory also included photographs of Pocket iNet hardware installations, including racks of network gear and transmission towers. These photos offer some insight into Pocket iNet’s own physical infrastructure.
By themselves these photos likely couldn’t cause much harm, but considered among the other data in this exposed set, they are yet another point of reference for anyone looking to exploit this information.
The exposed data also included a list of “priority customers,” including Lockheed Martin, Toyota, the Richland School District, and the Lourdes Medical Center, among others.
The Significance
According to their website, “PocketiNet serves the Mid-Columbia Basin from Walla Walla to Yakima, WA and south to Umatilla, OR and all points in between.” However, it is also important to note that Pocket iNet is also a participant in the US backbone internet traffic system. Malicious actors coming across administrative credentials and network mappings for an internet service provider could cause significant harm.
According to CSO Online, businesses will spend nearly a trillion dollars between 2017-2021 on cybersecurity. While the solutions purchased with this money will address a wide range of malicious activity, including malware, intrusion detection and prevention, network monitoring and analysis-- far less attention is given to misconfigurations, an unintended byproduct of data handling and processing without sufficient controls. The accidental exposure of administrative credentials, as in the case of Pocket iNet, makes it easy for a potential malicious actor to exploit resources for their own agenda. Technology based businesses-- which is nearly every business today-- must understand and proactively mitigate the risk of unintentional data exposure to protect themselves and their customers.
Companies handling critical infrastructure are held to an even higher standard. For example, the NERC requirements for entities in the power and energy sector were developed from a need to keep power grids continuously functional. The best methods and practices to do so were collated into a set of regulations that govern how affected entities must handle operations to ensure reliability. The ramifications of a tampered with internet provider could be far reaching, and the same care should be taken with their digital operations to keep data and systems secure and functional.