Slashdot Mirror

← Back to Stories (view on slashdot.org)

Someone Published a List of Telnet Credentials For Thousands of IoT Devices (bleepingcomputer.com)

Posted by msmash on from the privacy-woes dept.

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."

12 of 104 comments (clear)

  1. good luck hacking in to mine by FudRucker · · Score: 3, Interesting

    all my IoT devices are on a separate LAN that is not connected to the internets, i had an extra wifi router laying around and put it to work as a LAN ONLY IoT DHCP server

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:good luck hacking in to mine by thebes · · Score: 4, Funny

      *slow clap*

    2. Re:good luck hacking in to mine by AmiMoJo · · Score: 3, Insightful

      Okay, good for you, but isn't the point of *Internet* of Things devices is that they are connected to the internet. If they aren't connected, they are just dumb devices and you wasted your money buying them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Telnet!?!?!?!?!?!? by Major_Disorder · · Score: 2

    Really? It has been, what 25 years since I was told by a friend that using Telnet was a bad idea, and I should start using this newfangled ssh. I resisted for a while as my server was an old 386, and pretty slow to connect over ssh. But I eventually gave in and the world became a happier safer, and more secure place.

    --
    First law of people: People are generally stupid.
  3. Re:Non issue by Opportunist · · Score: 2, Insightful

    This would be something to blame on the people if they

    a) knew the device used telnet
    b) knew what telnet is
    c) knew the device can be reached at all

    If you want to throw dirt at someone, throw it at the assholes selling this garbage.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Blurring part of the screenshot wont save you by Anonymous Coward · · Score: 2, Informative

    Here's the link to an archived copy of that pastebin

  5. Not just botnetting. by Ungrounded+Lightning · · Score: 4, Informative

    Let me know when you get over ten million. Those IoT jobs have _tiny_ processors so your botnet has to have a whole lot of them to make it worth the hassle.

    It doesn't take much processor speed to be an effective botnet bot. The limit is the network bandwidth, which can generally be saturated with little crunch.

    Also: A "small processor" by today's standards is blazingly fast compared to those of even just a few years back. Typical IoT devices have plenty of processor speed, necessary to handle their networking protocols, which they only use in bursts. The battery powered ones achieve long life by spending almost all of their time "asleep", with nothing powered up but any persistent output lines and a wristwatch-crystal "alarm clock" to wake up the CPU when it's time to do some work - or turn on the radio and see if somebody needs to talk.

    But the issue is not just botnet operators adding them to their net.

    Those devices are doing some mission. If they can be rooted, an attacker can also take over and disrupt whatever it is they are supposed to be doing.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  6. Re:Non issue by HornWumpus · · Score: 3

    The router manufacturers have a large share of blame.

    The average /.er (that knows anything) has blocked the Telnet port, default router configs should do the same for the clueless.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  7. Re:Telnet? this is a joke right! by HornWumpus · · Score: 4, Insightful

    They didn't, they grabbed a standard Linux image that included Telnet and never gave it a thought.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  8. Re:Telnet? this is a joke right! by HornWumpus · · Score: 3, Informative

    It took me 30 seconds on Google to confirm. Busybox to start.

    --
    John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  9. Re:Something new? by Anonymous Coward · · Score: 2, Insightful

    The problem isn't the credentials. It's the IP addresses. Now you know where they are and you can login and hijack the devices.

  10. Re:Non issue by arth1 · · Score: 3, Insightful

    Nobody should have been using telnet for the past 15 years.

    Telnet is useful and deserves to live. When I hook up a terminal over a serial connection, I want telnet.
    Also, a telnet client is one of the most useful troubleshooting tools you can find.
    Telnet servers on Internet is the problem, not telnet.