Someone Published a List of Telnet Credentials For Thousands of IoT Devices

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."

Something new?

[0100010001010011]

I almost always turn to google when trying to remember WTF the default settings are on a newly reset device like routers, modems, etc.

Re:Something new?

[Mr+D+from+63]

So this is a handy list for device factory resets.

Re:Something new?

The problem isn't the credentials. It's the IP addresses. Now you know where they are and you can login and hijack the devices.

Re:Something new?

I turn to google if I can't guess it in the first three atempts, which is most of the time.

Re: Something new?

[AvitarX]

Any router I've purchased that resets to a custom password I give a one star review to.

The numbers always wear down and I'm left with a brick (little USB powered travel ones, so they get more motion than a typical router).

Re: Something new?

IP addresses are public. Are you computer illiterate?

Re: Something new?

So you've obviously never thought of using a pen and paper to make notes ?

Re: Something new?

Snap a photo of the serial number or whatever and file it away with your system info. Print it out if you don't want an electronic copy.

Re:Something new?

[JohnFen]

The problem isn't the credentials. It's the IP addresses.

Kinda. These addresses are trivially discoverable. If you run a firewall, take a look at its logs sometime. You'll see tons of portscans. Many of these are probes looking for devices like these.

The only thing the list does is make it a little more convenient.

Re: Something new?

[AvitarX]

Yes, the fact that the router requires a chore to prevent bricking is annoying, thus the one star.

If they want security, don't route to a gateway until it's been setup, and force passwords and wireless security then.

Non issue

Nobody should have been using telnet for the past 15 years.

You've been warned 10000+ times, and now you're pwn3d.

Re:Non issue

Your logic is shoddy. No one should ever kill anyone either, that doesn't make it a non-issue. Please, get down from the high horse and step slowly away from it...

Re:Non issue

[Opportunist]

This would be something to blame on the people if they

a) knew the device used telnet
b) knew what telnet is
c) knew the device can be reached at all

If you want to throw dirt at someone, throw it at the assholes selling this garbage.

Re:Non issue

[asvravi]

Yeah, I knew all those. It was my honeypot, you insensitive clod!

Re:Non issue

It's not going to make any difference if it's a list of usernames, passwords and IP addresses.

Re:Non issue

[mikael]

If you look in the right webpages, they'll tell you how to set up your personal data server, so you can access all your videos and documents from anywhere in the world without having to need a username or password to log in.

Re:Non issue

[drinkypoo]

There's plenty of blame to go around. Shareholders, developers, their managers, the users... why shouldn't everyone share? Assign guilt to everyone involved by the amount of profit gained.

Re:Non issue

[HornWumpus]

The router manufacturers have a large share of blame.

The average /.er (that knows anything) has blocked the Telnet port, default router configs should do the same for the clueless.

Re:Non issue

[AmiMoJo]

I can see ISPs blocking telnet and other services, the same way as they block port 21 to prevent email spam.

Maybe they could sell it as a feature. Have a second SSID for not-very-smart devices that is firewalled and remotely filtered and monitored for malicious activity. The privacy implications are mind boggling but I'm sure most people would see it as a great feature.

Re:Non issue

[Opportunist]

Blocking port 21 will probably not really help against mail spam, but it might work wonders against illegal FTP filesharing... if that still was a thing, that is.

My ISP started filtering the netbios trinity and its sister ports a few years ago (i.e. 135, 137-139 and 445), which was the death spell to my favorite pastime, collecting people's private porn pics.

Re:Non issue

[arth1]

Nobody should have been using telnet for the past 15 years.

Telnet is useful and deserves to live. When I hook up a terminal over a serial connection, I want telnet.
Also, a telnet client is one of the most useful troubleshooting tools you can find.
Telnet servers on Internet is the problem, not telnet.

Re:Non issue

No $Vendor should be using telnet. Anyone with even a basic education in security knows this. At least use SSH and disable remote root logins.

Re:Non issue

What nonsense! Default router configurations do not forward packets unless its admin account has been used to create forwarding rules. This is the single biggest issue for your so-called "clueless" people in that they do not know how to do it when needed. I'm calling out your BS; list five consumer routers that leave port 21 open (and let's not forget those packets need to be pointed to a device running telnet to even be effective).

We're waiting...

Re: Non issue

The first unix troubleshooting trick I learned was 'telnet to the remote port to see if it is listening/responding'. Of course that was before ssh.

Re:Non issue

[JohnFen]

These are commercially manufactured devices, not hobbyist ones made by people who don't know any better.

There is exactly zero excuse for these devices to be running telnet servers.

Re:Non issue

[HornWumpus]

Fuckoff AC, you don't even know which port Telnet runs on. Quit trying to act smart.

Re: Non issue

[arth1]

The first unix troubleshooting trick I learned was 'telnet to the remote port to see if it is listening/responding'. Of course that was before ssh.

It's still very useful. Most services are text based, and you can generate queries and see the actual unparsed replies, which is a great help in troubleshooting. SMTP and HTTP in particular are often troubleshot with a telnet client.

telnet www.google.com 80
Trying 2607:f8b0:4006:815::2004...
Connected to www.google.com.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: www.google.com
Connection: close

HTTP/1.1 200 OK
Date: Tue, 29 Aug 2017 15:53:10 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See https://www.google.com/support... for more info."
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=111=[...]; expires=Wed, 28-Feb-2018 15:53:10 GMT; path=/; domain=.google.com; HttpOnly
Accept-Ranges: none
Vary: Accept-Encoding
Connection: close

Connection closed by foreign host.

Re: Non issue

[rnash]

telnet client is fine to test SMTP, HTTP or any clear text protocol.
What is bad is "telnetd", the remote access service allowing remote administration, with everything in cleartext, usually listening on port 23.

Re:Non issue

Take the stick out of your arse, the man had a port number wrong but his point still stands. Name 5 routers that leave port 23 open to either themselves or ports behind it and for every 5 you list, I shall post 20 that don't.

good luck hacking in to mine

[FudRucker]

all my IoT devices are on a separate LAN that is not connected to the internets, i had an extra wifi router laying around and put it to work as a LAN ONLY IoT DHCP server

Re:good luck hacking in to mine

[thebes]

*slow clap*

Re:good luck hacking in to mine

So. Why?

Re:good luck hacking in to mine

[Opportunist]

Want me to sell you one that still gives me all the info I want about your lan?

Re:good luck hacking in to mine

[FudRucker]

unless you can crack wpa2, and wifi admin access to the router has been disabled, got to admin it with ethernet connection, and if you get that close to the router you will have bigger problems than cracking a password

Re:good luck hacking in to mine

That makes them NOT internet of things devices, or NIoT's. I'm sure after some more thought you can come up with a device name category even worse than the microsoft's naming conventions.

Re:good luck hacking in to mine

so that when he remembers he didn't lock his house after getting to work, he can turn around, drive home to get within wifi range in his driveway to lock his doors. duh it's so super convenient. why wouldn't everyone else be doing this?

Re: good luck hacking in to mine

INoT??

Re:good luck hacking in to mine

[Sindar+By+Choice]

I bet you wish you had an extra wifi router laying around.

Re: good luck hacking in to mine

If he has the presence of mind to do all that, couldn't he also create a method of remote connecting to a local device, and locking the door that way? Why would he have to drive home to lock the door?

Re:good luck hacking in to mine

[AmiMoJo]

Okay, good for you, but isn't the point of *Internet* of Things devices is that they are connected to the internet. If they aren't connected, they are just dumb devices and you wasted your money buying them.

Re:good luck hacking in to mine

[Opportunist]

Well, let's see. You have to connect it in some way to your network. Either it's wireless. Then you have to give my device your WPA2 key. Or it's wired. Then I'm connected anyway. What I need now is one stupid neighbor who does not secure his WiFi AP so I have an egress point for the data.

The rest is mostly dependent on how your network is set up. There's always a way in and a way out, all that matters is finding it.

Re:good luck hacking in to mine

[dark.nebulae]

Hey, you can let the devices connect to the internet, you're just blocking brain-dead incoming telnet traffic to the device.

Assuming, of course, that you know how to configure routing on your internal network and know what port(s) from the device are needed to support necessary connectivity...

Re:good luck hacking in to mine

[thebes]

What, so I can pretend to be cool with a raspberry pi idling away on this wifi network?

Re:good luck hacking in to mine

[MobyDisk]

LAN of things? LoT?

Re: good luck hacking in to mine

[dnaumov]

Congratulation on belonging to less than 0.1% of Internet users. That will help you so much with bot ddos attacks.

Re:good luck hacking in to mine

[SeaFox]

That's not hard. NewEgg is often offering those magically craptastic OnNet routers for free with the purchase of a Motorola cable modem.

Re:good luck hacking in to mine

[Gr8Apes]

That's not hard. NewEgg is often offering those magically craptastic OnNet routers for free with the purchase of a Motorola cable modem.

And they're worth every penny you paid.

Re:good luck hacking in to mine

[Gim+Tom]

Not worth that much. Damn good time sinks if you really try to make any use out of them.

Re: good luck hacking in to mine

Cool, can I have my burger now?

Re: good luck hacking in to mine

[AvitarX]

But then they're not on a LAN only network anymore.

Re:good luck hacking in to mine

[AvitarX]

But what's the point if you can't set your heat A/C on your way home from vacation, or check that everything is going fine remotely?

I mean, control of devices from my phone while on the couch has some value, but it's the jnternet connection that's even more important.

Re:good luck hacking in to mine

Gateways and proxies - how do they work?

Isolated IP camera network? RTSP Proxy. Web service interface? Nginx reverse proxy on the edge. Freaky out of spec proprietary protocol and BS "app"? Ssh tunnels.

Re:good luck hacking in to mine

[narced]

I'm sure that I've told you this before, but:

const int one = 65536;

Is wrong. If you add 1 to 65,535 in a 16 bit unsigned integer you get 0, not 1.

Re:good luck hacking in to mine

[JohnFen]

unless you can crack wpa2

If someone can place a small device within your WiFi range for a few days, and you have devices connecting and disconnecting during that time, then WPA2 is totally crackable.

If you're very concerned about security, you want all your devices to be using good crypto and authentication procedures even when you're using WPA2.

Re:good luck hacking in to mine

[JohnFen]

If they aren't connected, they are just dumb devices

Umm, no. A smart device is one that can do its own computations. Being connected to the internet is not part of the definition.

Likewise, if you have a device that relies on a server to do its computations, it's only a smart device in the sense that it has enough brains to connect to the internet. In every other respect, it's a dumb device.

Re:good luck hacking in to mine

I'm sure that I've told you this before, but: const int one = 65536; Is wrong. If you add 1 to 65,535 in a 16 bit unsigned integer you get 0, not 1.

It's a quote of code. It can't be "wrong". I mean, the point of quoting it is because it is crazy looking.

Re:good luck hacking in to mine

[Sindar+By+Choice]

No pretending involved my friend.

Telnet!?!?!?!?!?!?

[Major_Disorder]

Really? It has been, what 25 years since I was told by a friend that using Telnet was a bad idea, and I should start using this newfangled ssh. I resisted for a while as my server was an old 386, and pretty slow to connect over ssh. But I eventually gave in and the world became a happier safer, and more secure place.

Re:Telnet!?!?!?!?!?!?

Meh, telnet isn't really the problem here.

Telnet is a problem if you are using unencrypted wireless or can't trust your ISP.
If one of those are true you have much larger problems to worry about than telnet.

Re:Telnet!?!?!?!?!?!?

[Major_Disorder]

Meh, telnet isn't really the problem here.

If one of those are true you have much larger problems to worry about than telnet.

You are mistaken. A simple and essentially free method of making your device slightly more secure is to not install telnet. People are stupid, limiting their opportunities to prove it is the only sensible course.

Re:Telnet!?!?!?!?!?!?

[JohnFen]

You are correct in terms of sniffing existing data streams. You are incorrect in terms of preventing attackers from gaining access to your system.

Telnet is intrinsically insecure.

LOL ... suckers ...

Honestly if you have an IoT device with default credentials which can be reached from the internet at large, then both you and the company who made it are fucking morons.

The companies who make these things don't give a fuck about you or your security, and only gave a damn about getting half-assed product out the door.

The "internet of turds" is a pathetic joke, and the idiots who are flocking to internet connected devices who know nothing about this stuff deserve what they get. If YOU can access it from an app on your phone, some other asshole can and WILL also access it.

This is hilarious, and entirely something we've been predicting for years.

Re:LOL ... suckers ...

If YOU can access it from an app on your phone, some other asshole can and WILL also access it.

While likely that's not necessarily true. Instead of having IoT devices with open ports on the general internet they can be designed securely so that the IoT devices coordinate with a CO and the (authenticated) apps talk to the same CO to route requests. But then you're beholden to the company running the CO - who cares if they give your "free access for life" when they're probably going to go bankrupt in 3-5 years and switch it all off.

Real money

Let me know when you get over ten million. Those IoT jobs have _tiny_ processors so your botnet has to have a whole lot of them to make it worth the hassle.

Blurring part of the screenshot wont save you

Here's the link to an archived copy of that pastebin

Actually M@T#ER F#CKER is pretty good

[Trax3001BBS]

I count 6 logins as even trying.

Re:Actually M@T#ER F#CKER is pretty good

[Trax3001BBS]

I saw a different list than is been seen now, it has been updated and the following is what I read

SecLists/Passwords/mirai_botnet.txt
a823fad on Oct 7, 2016
@danielmiessler danielmiessler Mirai botnet creds.
62 lines (60 sloc) 779 Bytes
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root jauntech
root 123456
root 54321
support support

Re:Actually M@T#ER F#CKER is pretty good

[Trax3001BBS]

and:
root (none)
admin password
root root
root 12345
user user
admin (none)
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888

Re:Actually M@T#ER F#CKER is pretty good

[Trax3001BBS]

and
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko9vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 000000
admin 1111111
admin 1234
admin 12345

Re:Actually M@T#ER F#CKER is pretty good

[Trax3001BBS]

Sorry it came to this, and:
admin 54321
admin 123456
admin 7ujMko0admin
admin pass
admin meinsm
tech tech
m@t#er f#cker - curse filter

Re:Actually M@T#ER F#CKER is pretty good

guest guest is always logging into to my BBS... oh well I suppose its on the list now!

Not just botnetting.

[Ungrounded+Lightning]

Let me know when you get over ten million. Those IoT jobs have _tiny_ processors so your botnet has to have a whole lot of them to make it worth the hassle.

It doesn't take much processor speed to be an effective botnet bot. The limit is the network bandwidth, which can generally be saturated with little crunch.

Also: A "small processor" by today's standards is blazingly fast compared to those of even just a few years back. Typical IoT devices have plenty of processor speed, necessary to handle their networking protocols, which they only use in bursts. The battery powered ones achieve long life by spending almost all of their time "asleep", with nothing powered up but any persistent output lines and a wristwatch-crystal "alarm clock" to wake up the CPU when it's time to do some work - or turn on the radio and see if somebody needs to talk.

But the issue is not just botnet operators adding them to their net.

Those devices are doing some mission. If they can be rooted, an attacker can also take over and disrupt whatever it is they are supposed to be doing.

Re:Not just botnetting.

[JohnFen]

This is 100% correct.

You'd be amazed what you can do with even a ten-cent, 6 pin microcontroller.

Re:Not just botnetting.

Amplification attacks make even the smallest processor a potent DDoS tool. Small request, large response.

Any FBI / CIA / NSA logins?

[Joe_Dragon]

Any FBI / CIA / NSA logins? with there names as the login

Telnet? this is a joke right!

[oldgraybeard]

What business does any manufacturer have enabling or using telnet on any products!

Re:Telnet? this is a joke right!

What business does any manufacturer have enabling or using telnet on any products!

That's the problem, this shit is driven by the business folks and not legitimate tech folks.
  Which leads to lazy, incompetent, hastily built products which are slapped together on a shoe string so they can say "me too" and push some pile of garbage out the door.

They simply don't fucking care as long as they get your money, and they have an EULA which pretty much absolves them of any responsibility for producing shitty products. They don't give a crap about security, because it costs more money, so they don't even try.

Most of these products should be presumed to be about as safe and reliable as a car from the shadiest of all possible used car dealers. In other words, don't buy them.

Between the companies deliberately putting in malware, or the companies who are too lazy and stupid to know they're making sub-standard products, most consumer electronics have no business being presented to the internet.

This is just a massive example of the low quality products out there which are geared for "cool" or "convenient", but which are otherwise complete garbage.

Caveat mother fucking emptor, suckers.

Re:Telnet? this is a joke right!

[HornWumpus]

They didn't, they grabbed a standard Linux image that included Telnet and never gave it a thought.

Re:Telnet? this is a joke right!

What "standard Linux image" has a Telnet server enabled by default? Can you give any examples?

Re:Telnet? this is a joke right!

[oldgraybeard]

There is a standard Linux image that has telnet enabled and an iptable rule?

Re:Telnet? this is a joke right!

[HornWumpus]

It took me 30 seconds on Google to confirm. Busybox to start.

You mean you don't

[bobstreo]

Do a port scan with nmap for every device you have on your network? And every time you add one?

Then you can block things you don't want accessed from the Internet on your firewall/router...

Re:You mean you don't

Your firewall should default deny. If you don't have to explicitly enable a connection for a new device then you already failed.

Wait what?

[roc97007]

People still use Telnet?

Re:Wait what?

"internet of things" software "engineers" certainly think seem to think it's a good idea.

Re:Wait what?

Real developers certainly do. It makes things much easier while developing a product. What the users do or don't do with it is another story. Most times it can be disabled.

Re:Wait what?

[arkane1234]

Real developers use encrypted channels. It's not hard, in fact it's easy.

Re:Wait what?

I really wish that Python had a native ssh client. Having to do it with a third party library just is annoying.

Re:Wait what?

[SharpFang]

Try to create an IoT lightbulb with 8-bit microcontroller with 16KB RAM that runs SSH server.

Squeezing a TCP stack into these things is a challenge.

Re:Wait what?

[JohnFen]

Real developers certainly do

Real incompetent developers do.

Re:Wait what?

[JohnFen]

You need a TCP/IP stack to run a telnet server, too.

99% of the time, if your microcontroller can handle telnet, it can handle ssh. (This didn't used to be true, but hardware is amazing these days).

If you have a case in the 1%, the only responsible options are to use a different microcontroller or to not support TCP/IP at all.

Re:Wait what?

[SharpFang]

"99% of the time, if your microcontroller can handle telnet, it can handle ssh. "

Bullshit.

Once you have the TCP stack, getting a Telnet access is a program of two dozen lines.

SSH, even if you can miraculously squeeze it into RAM, will take an hour to process the initial crypto handshake - your CPU is most usually 1MHz, and already heavily loaded by primary job of the device.

Of course you can use a different microcontroller. Increasing the price by 30% and falling behind the competition and losing most of your sales. And you can not support TCP/IP. Which defeats the purpose of IoT device.

Re:Wait what?

[JohnFen]

Well, there's no point in debating whether or not SSH is possible to implement on a given device, really. It depends on the specific device in question for sure.

However, even if you can't support SSH, that's no excuse to implement telnet. Telnet shouldn't be supported on any device that might be exposed to the internet, period. If you can't support a secure communications channel of some sort, then you shouldn't make the device.

Re:Wait what?

[SharpFang]

Well, there's still the matter of what can be done through that Telnet.

Devices that can't support SSH sure as hell won't support a fully-featured shell. Most likely it will be a pseudo-shell that exposes a couple commands of diagnostics and maybe (not necessarily) control. If it's just diagnostics, no problem. If it's control, that may be a bit of a bother. It certainly won't be able to run a botnet, send spam or create DDOS.

My company produces devices that have Telnet port open. But since we're deploying them, we make sure the routers don't expose the port - and these routers are in restricted APN subnet with no simple access from outside anyway. Reason: devices are too busy doing their work; ssh is present but so slow that if the network connection is poor, it's unusable. In that case you ssh into the router, then telnet to the device.

Re:Wait what?

[JohnFen]

we make sure the routers don't expose the port - and these routers are in restricted APN subnet with no simple access from outside anyway.

Yes, all of my comments are specifically about devices that can be accessed from a non-secured network. If the network is secure, then there's nothing seriously wrong with telnet, depending on the level of security required for the installation.

Obviously, the ideal situation is layered security, so that even if someone gained access to the secured network somehow, there is still strong security in play. For instance, all of the machines in my secured network communicate with encrypted channels anyway -- just in case.

Re:Wait what?

[SharpFang]

That heavily depends on what the machines are. Small embedded is notoriously incapable of this due to inherent limitations. Big embedded - technically capable, but if you spend a month programming this stuff, you quickly find out how burdensome this gets, so you use insecure for development. Nowadays it's a rare case that the product actually enters the stage of "complete" as opposed to "good enough for production" so a lot of the debug stuff stays in, to be removed in the distant "when it's finished" which never comes.

Re:Wait what?

[JohnFen]

All true.

My preference (and I'm not saying it's one that applies to all situations or to everybody) is that any devices that aren't powerful enough to be secured also do not use TCP/IP. Mostly, this is to avoid accidentally exposing a device to a network segment that I didn't intend for it to be exposed to. This way they can talk to a piece of bridge equipment (via USB or Bluetooth, typically) that connects everything to the LAN.

But I'm not personally constrained by factors like marketability or mass production, so I have quite a lot of room to maneuver here.

Re:Wait what?

[JohnFen]

Nowadays it's a rare case that the product actually enters the stage of "complete" as opposed to "good enough for production" so a lot of the debug stuff stays in, to be removed in the distant "when it's finished" which never comes.

I forgot to comment on this part -- I have seen this myself! It's a big (but not the only) reason why I simply don't trust any IoT devices that are currently on the market. I'd have to do security testing on them before use, and as long as I'm going to that effort, I may as well roll my own device so it works exactly as I want it to.

Isn't it obvious?

When people connect things to the network, we must I.D. IoT devices.

Sorry I couldn't make that funnier.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Telnet. Seriously

Engineer> Hey, boss. The software for our new microwave is finally ready.
Project Manager> Well... we've just received a last-minute request. Our marketing department asked us to add remote access so that they can get valuable stats on the most commonly cooked porridge brand.
Engineer> But there's no time...
PM> You're a smart guy. Find a way.

Telnet?! Really??

[JohnFen]

Even devices that have mediocre security know not to use telnet. Properly installed and configured, it's still a pretty severe security hole.

Re:"Someone"? I think you mean...

This was humor. Apparently mods don't know humor, even if it's bad, from #russiabots or #trumpbots (... if there's a difference between those latter two.).