Slashdot Mirror

← Back to Stories (view on slashdot.org)

Someone Published a List of Telnet Credentials For Thousands of IoT Devices (bleepingcomputer.com)

Posted by msmash on from the privacy-woes dept.

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."

5 of 104 comments (clear)

  1. Re:Non issue by Opportunist · · Score: 2, Insightful

    This would be something to blame on the people if they

    a) knew the device used telnet
    b) knew what telnet is
    c) knew the device can be reached at all

    If you want to throw dirt at someone, throw it at the assholes selling this garbage.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Re:good luck hacking in to mine by AmiMoJo · · Score: 3, Insightful

    Okay, good for you, but isn't the point of *Internet* of Things devices is that they are connected to the internet. If they aren't connected, they are just dumb devices and you wasted your money buying them.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Re:Telnet? this is a joke right! by HornWumpus · · Score: 4, Insightful

    They didn't, they grabbed a standard Linux image that included Telnet and never gave it a thought.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  4. Re:Something new? by Anonymous Coward · · Score: 2, Insightful

    The problem isn't the credentials. It's the IP addresses. Now you know where they are and you can login and hijack the devices.

  5. Re:Non issue by arth1 · · Score: 3, Insightful

    Nobody should have been using telnet for the past 15 years.

    Telnet is useful and deserves to live. When I hook up a terminal over a serial connection, I want telnet.
    Also, a telnet client is one of the most useful troubleshooting tools you can find.
    Telnet servers on Internet is the problem, not telnet.