Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Security

Someone Published a List of Telnet Credentials For Thousands of IoT Devices (bleepingcomputer.com) 104

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."
This discussion has been archived. No new comments can be posted.

Someone Published a List of Telnet Credentials For Thousands of IoT Devices

Comments Filter:
  • I almost always turn to google when trying to remember WTF the default settings are on a newly reset device like routers, modems, etc.

    • So this is a handy list for device factory resets.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      The problem isn't the credentials. It's the IP addresses. Now you know where they are and you can login and hijack the devices.
      • The problem isn't the credentials. It's the IP addresses.

        Kinda. These addresses are trivially discoverable. If you run a firewall, take a look at its logs sometime. You'll see tons of portscans. Many of these are probes looking for devices like these.

        The only thing the list does is make it a little more convenient.

    • Any router I've purchased that resets to a custom password I give a one star review to.

      The numbers always wear down and I'm left with a brick (little USB powered travel ones, so they get more motion than a typical router).

  • by FudRucker ( 866063 ) on Monday August 28, 2017 @04:45PM (#55099397)
    all my IoT devices are on a separate LAN that is not connected to the internets, i had an extra wifi router laying around and put it to work as a LAN ONLY IoT DHCP server
    • by thebes ( 663586 ) on Monday August 28, 2017 @04:47PM (#55099413)

      *slow clap*

    • Want me to sell you one that still gives me all the info I want about your lan?

      • unless you can crack wpa2, and wifi admin access to the router has been disabled, got to admin it with ethernet connection, and if you get that close to the router you will have bigger problems than cracking a password
        • Well, let's see. You have to connect it in some way to your network. Either it's wireless. Then you have to give my device your WPA2 key. Or it's wired. Then I'm connected anyway. What I need now is one stupid neighbor who does not secure his WiFi AP so I have an egress point for the data.

          The rest is mostly dependent on how your network is set up. There's always a way in and a way out, all that matters is finding it.

        • unless you can crack wpa2

          If someone can place a small device within your WiFi range for a few days, and you have devices connecting and disconnecting during that time, then WPA2 is totally crackable.

          If you're very concerned about security, you want all your devices to be using good crypto and authentication procedures even when you're using WPA2.

    • by AmiMoJo ( 196126 ) <mojoNO@SPAMworld3.net> on Monday August 28, 2017 @05:33PM (#55099667) Homepage Journal

      Okay, good for you, but isn't the point of *Internet* of Things devices is that they are connected to the internet. If they aren't connected, they are just dumb devices and you wasted your money buying them.

      • Hey, you can let the devices connect to the internet, you're just blocking brain-dead incoming telnet traffic to the device.

        Assuming, of course, that you know how to configure routing on your internal network and know what port(s) from the device are needed to support necessary connectivity...

      • by narced ( 1078877 )

        I'm sure that I've told you this before, but:

        const int one = 65536;

        Is wrong. If you add 1 to 65,535 in a 16 bit unsigned integer you get 0, not 1.

      • If they aren't connected, they are just dumb devices

        Umm, no. A smart device is one that can do its own computations. Being connected to the internet is not part of the definition.

        Likewise, if you have a device that relies on a server to do its computations, it's only a smart device in the sense that it has enough brains to connect to the internet. In every other respect, it's a dumb device.

    • Congratulation on belonging to less than 0.1% of Internet users. That will help you so much with bot ddos attacks.

    • by AvitarX ( 172628 )

      But what's the point if you can't set your heat A/C on your way home from vacation, or check that everything is going fine remotely?

      I mean, control of devices from my phone while on the couch has some value, but it's the jnternet connection that's even more important.

  • Really? It has been, what 25 years since I was told by a friend that using Telnet was a bad idea, and I should start using this newfangled ssh. I resisted for a while as my server was an old 386, and pretty slow to connect over ssh. But I eventually gave in and the world became a happier safer, and more secure place.
  • I count 6 logins as even trying.

    • I saw a different list than is been seen now, it has been updated and the following is what I read

      a823fad on Oct 7, 2016
      @danielmiessler danielmiessler Mirai botnet creds.
      62 lines (60 sloc) 779 Bytes
      root xc3511
      root vizxv
      root admin
      admin admin
      root 888888
      root xmhdipc
      root default
      root jauntech
      root 123456
      root 54321
      support support

      • and:
        root (none)
        admin password
        root root
        root 12345
        user user
        admin (none)
        root pass
        admin admin1234
        root 1111
        admin smcadmin
        admin 1111
        root 666666
        root password
        root 1234
        root klv123
        Administrator admin
        service service
        supervisor supervisor
        guest guest
        guest 12345
        admin1 password
        administrator 1234
        666666 666666
        888888 888888

        • and
          ubnt ubnt
          root klv1234
          root Zte521
          root hi3518
          root jvbzd
          root anko
          root zlxx.
          root 7ujMko9vizxv
          root 7ujMko0admin
          root system
          root ikwb
          root dreambox
          root user
          root realtek
          root 000000
          admin 1111111
          admin 1234
          admin 12345

        • Sorry it came to this, and:
          admin 54321
          admin 123456
          admin 7ujMko0admin
          admin pass
          admin meinsm
          tech tech
          m@t#er f#cker - curse filter

  • Any FBI / CIA / NSA logins? with there names as the login

  • What business does any manufacturer have enabling or using telnet on any products!
  • Do a port scan with nmap for every device you have on your network? And every time you add one?

    Then you can block things you don't want accessed from the Internet on your firewall/router...

  • People still use Telnet?

  • Even devices that have mediocre security know not to use telnet. Properly installed and configured, it's still a pretty severe security hole.

Don't be irreplaceable, if you can't be replaced, you can't be promoted.