Someone Published a List of Telnet Credentials For Thousands of IoT Devices

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."

good luck hacking in to mine

[FudRucker]

all my IoT devices are on a separate LAN that is not connected to the internets, i had an extra wifi router laying around and put it to work as a LAN ONLY IoT DHCP server

Re:good luck hacking in to mine

[thebes]

*slow clap*

Re:good luck hacking in to mine

[AmiMoJo]

Okay, good for you, but isn't the point of *Internet* of Things devices is that they are connected to the internet. If they aren't connected, they are just dumb devices and you wasted your money buying them.

Not just botnetting.

[Ungrounded+Lightning]

Let me know when you get over ten million. Those IoT jobs have _tiny_ processors so your botnet has to have a whole lot of them to make it worth the hassle.

It doesn't take much processor speed to be an effective botnet bot. The limit is the network bandwidth, which can generally be saturated with little crunch.

Also: A "small processor" by today's standards is blazingly fast compared to those of even just a few years back. Typical IoT devices have plenty of processor speed, necessary to handle their networking protocols, which they only use in bursts. The battery powered ones achieve long life by spending almost all of their time "asleep", with nothing powered up but any persistent output lines and a wristwatch-crystal "alarm clock" to wake up the CPU when it's time to do some work - or turn on the radio and see if somebody needs to talk.

But the issue is not just botnet operators adding them to their net.

Those devices are doing some mission. If they can be rooted, an attacker can also take over and disrupt whatever it is they are supposed to be doing.

Re:Non issue

[HornWumpus]

The router manufacturers have a large share of blame.

The average /.er (that knows anything) has blocked the Telnet port, default router configs should do the same for the clueless.

Re:Telnet? this is a joke right!

[HornWumpus]

They didn't, they grabbed a standard Linux image that included Telnet and never gave it a thought.

Re:Telnet? this is a joke right!

[HornWumpus]

It took me 30 seconds on Google to confirm. Busybox to start.

Re:Non issue

[arth1]

Nobody should have been using telnet for the past 15 years.

Telnet is useful and deserves to live. When I hook up a terminal over a serial connection, I want telnet.
Also, a telnet client is one of the most useful troubleshooting tools you can find.
Telnet servers on Internet is the problem, not telnet.