Someone Published a List of Telnet Credentials For Thousands of IoT Devices

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."

Something new?

[0100010001010011]

I almost always turn to google when trying to remember WTF the default settings are on a newly reset device like routers, modems, etc.

Re:

[Mr D from 63]

So this is a handy list for device factory resets.

Re:

[Anonymous Coward]

The problem isn't the credentials. It's the IP addresses. Now you know where they are and you can login and hijack the devices.

Re:

[JohnFen]

The problem isn't the credentials. It's the IP addresses.

Kinda. These addresses are trivially discoverable. If you run a firewall, take a look at its logs sometime. You'll see tons of portscans. Many of these are probes looking for devices like these.

The only thing the list does is make it a little more convenient.

Re: Something new?

[AvitarX]

Any router I've purchased that resets to a custom password I give a one star review to.

The numbers always wear down and I'm left with a brick (little USB powered travel ones, so they get more motion than a typical router).

Re:

[AvitarX]

Yes, the fact that the router requires a chore to prevent bricking is annoying, thus the one star.

If they want security, don't route to a gateway until it's been setup, and force passwords and wireless security then.

Re:

[Anonymous Coward]

Your logic is shoddy. No one should ever kill anyone either, that doesn't make it a non-issue. Please, get down from the high horse and step slowly away from it...

Re:

[JohnFen]

These are commercially manufactured devices, not hobbyist ones made by people who don't know any better.

There is exactly zero excuse for these devices to be running telnet servers.

Re:

[Opportunist]

This would be something to blame on the people if they

a) knew the device used telnet
b) knew what telnet is
c) knew the device can be reached at all

If you want to throw dirt at someone, throw it at the assholes selling this garbage.

Re:

[asvravi]

Yeah, I knew all those. It was my honeypot, you insensitive clod!

Re:

[mikael]

If you look in the right webpages, they'll tell you how to set up your personal data server, so you can access all your videos and documents from anywhere in the world without having to need a username or password to log in.

Re:

[drinkypoo]

There's plenty of blame to go around. Shareholders, developers, their managers, the users... why shouldn't everyone share? Assign guilt to everyone involved by the amount of profit gained.

Re:

[AmiMoJo]

I can see ISPs blocking telnet and other services, the same way as they block port 21 to prevent email spam.

Maybe they could sell it as a feature. Have a second SSID for not-very-smart devices that is firewalled and remotely filtered and monitored for malicious activity. The privacy implications are mind boggling but I'm sure most people would see it as a great feature.

Re:

[Opportunist]

Blocking port 21 will probably not really help against mail spam, but it might work wonders against illegal FTP filesharing... if that still was a thing, that is.

My ISP started filtering the netbios trinity and its sister ports a few years ago (i.e. 135, 137-139 and 445), which was the death spell to my favorite pastime, collecting people's private porn pics.

Re:Non issue

[HornWumpus]

The router manufacturers have a large share of blame.

The average /.er (that knows anything) has blocked the Telnet port, default router configs should do the same for the clueless.

Re:

[HornWumpus]

Fuckoff AC, you don't even know which port Telnet runs on. Quit trying to act smart.

Re:Non issue

[arth1]

Nobody should have been using telnet for the past 15 years.

Telnet is useful and deserves to live. When I hook up a terminal over a serial connection, I want telnet.
Also, a telnet client is one of the most useful troubleshooting tools you can find.
Telnet servers on Internet is the problem, not telnet.

Re:

[arth1]

The first unix troubleshooting trick I learned was 'telnet to the remote port to see if it is listening/responding'. Of course that was before ssh.

It's still very useful. Most services are text based, and you can generate queries and see the actual unparsed replies, which is a great help in troubleshooting. SMTP and HTTP in particular are often troubleshot with a telnet client.

telnet www.google.com 80
Trying 2607:f8b0:4006:815::2004...
Connected to www.google.com.
Escape character is '^]'.
HEAD / HTTP/1.1
Host: www.google.com
Connection: close

HTTP/1.1 200 OK
Date: Tue, 29 Aug 2017 15:53:10 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text

Re:

[rnash]

telnet client is fine to test SMTP, HTTP or any clear text protocol.
What is bad is "telnetd", the remote access service allowing remote administration, with everything in cleartext, usually listening on port 23.

good luck hacking in to mine

[FudRucker]

all my IoT devices are on a separate LAN that is not connected to the internets, i had an extra wifi router laying around and put it to work as a LAN ONLY IoT DHCP server

Re:good luck hacking in to mine

[thebes]

*slow clap*

Re:

[thebes]

What, so I can pretend to be cool with a raspberry pi idling away on this wifi network?

Re:

[SeaFox]

That's not hard. NewEgg is often offering those magically craptastic OnNet routers for free with the purchase of a Motorola cable modem.

Re:

[Gr8Apes]

That's not hard. NewEgg is often offering those magically craptastic OnNet routers for free with the purchase of a Motorola cable modem.

And they're worth every penny you paid.

Re:

[Gim Tom]

Not worth that much. Damn good time sinks if you really try to make any use out of them.

Re:

[Opportunist]

Want me to sell you one that still gives me all the info I want about your lan?

Re:

[FudRucker]

unless you can crack wpa2, and wifi admin access to the router has been disabled, got to admin it with ethernet connection, and if you get that close to the router you will have bigger problems than cracking a password

Re:

[Opportunist]

Well, let's see. You have to connect it in some way to your network. Either it's wireless. Then you have to give my device your WPA2 key. Or it's wired. Then I'm connected anyway. What I need now is one stupid neighbor who does not secure his WiFi AP so I have an egress point for the data.

The rest is mostly dependent on how your network is set up. There's always a way in and a way out, all that matters is finding it.

Re:

[JohnFen]

unless you can crack wpa2

If someone can place a small device within your WiFi range for a few days, and you have devices connecting and disconnecting during that time, then WPA2 is totally crackable.

If you're very concerned about security, you want all your devices to be using good crypto and authentication procedures even when you're using WPA2.

Re:

[MobyDisk]

LAN of things? LoT?

Re:good luck hacking in to mine

[AmiMoJo]

Okay, good for you, but isn't the point of *Internet* of Things devices is that they are connected to the internet. If they aren't connected, they are just dumb devices and you wasted your money buying them.

Re:

[dark.nebulae]

Hey, you can let the devices connect to the internet, you're just blocking brain-dead incoming telnet traffic to the device.

Assuming, of course, that you know how to configure routing on your internal network and know what port(s) from the device are needed to support necessary connectivity...

Re: good luck hacking in to mine

[AvitarX]

But then they're not on a LAN only network anymore.

Re:

[narced]

I'm sure that I've told you this before, but:

const int one = 65536;

Is wrong. If you add 1 to 65,535 in a 16 bit unsigned integer you get 0, not 1.

Re:

[JohnFen]

If they aren't connected, they are just dumb devices

Umm, no. A smart device is one that can do its own computations. Being connected to the internet is not part of the definition.

Likewise, if you have a device that relies on a server to do its computations, it's only a smart device in the sense that it has enough brains to connect to the internet. In every other respect, it's a dumb device.

Re: good luck hacking in to mine

[dnaumov]

Congratulation on belonging to less than 0.1% of Internet users. That will help you so much with bot ddos attacks.

Re:

[AvitarX]

But what's the point if you can't set your heat A/C on your way home from vacation, or check that everything is going fine remotely?

I mean, control of devices from my phone while on the couch has some value, but it's the jnternet connection that's even more important.

Telnet!?!?!?!?!?!?

[Major_Disorder]

Really? It has been, what 25 years since I was told by a friend that using Telnet was a bad idea, and I should start using this newfangled ssh. I resisted for a while as my server was an old 386, and pretty slow to connect over ssh. But I eventually gave in and the world became a happier safer, and more secure place.

Re:

[JohnFen]

You are correct in terms of sniffing existing data streams. You are incorrect in terms of preventing attackers from gaining access to your system.

Telnet is intrinsically insecure.

Not just botnetting.

[Ungrounded Lightning]

Let me know when you get over ten million. Those IoT jobs have _tiny_ processors so your botnet has to have a whole lot of them to make it worth the hassle.

It doesn't take much processor speed to be an effective botnet bot. The limit is the network bandwidth, which can generally be saturated with little crunch.

Also: A "small processor" by today's standards is blazingly fast compared to those of even just a few years back. Typical IoT devices have plenty of processor speed, necessary to handle their networking protocols, which they only use in bursts. The battery powered ones achieve long life by spending almost all of their time "asleep", with nothing powered up but any persistent output lines and a wristwatch-crystal "alarm clock" to wake up the CPU when it's time to do some work - or turn on the radio and see if somebody needs to talk.

But the issue is not just botnet operators adding them to their net.

Those devices are doing some mission. If they can be rooted, an attacker can also take over and disrupt whatever it is they are supposed to be doing.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JohnFen]

This is 100% correct.

You'd be amazed what you can do with even a ten-cent, 6 pin microcontroller.

Blurring part of the screenshot wont save you

[Anonymous Coward]

Here's the link to an archived copy of that pastebin [archive.is]

Actually M@T#ER F#CKER is pretty good

[Trax3001BBS]

I count 6 logins as even trying.

Re:

[Trax3001BBS]

I saw a different list than is been seen now, it has been updated and the following is what I read

SecLists/Passwords/mirai_botnet.txt
a823fad on Oct 7, 2016
@danielmiessler danielmiessler Mirai botnet creds.
62 lines (60 sloc) 779 Bytes
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root jauntech
root 123456
root 54321
support support

Re:

[Trax3001BBS]

and:
root (none)
admin password
root root
root 12345
user user
admin (none)
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888

Re:

[Trax3001BBS]

and
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko9vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 000000
admin 1111111
admin 1234
admin 12345

Re:

[Trax3001BBS]

Sorry it came to this, and:
admin 54321
admin 123456
admin 7ujMko0admin
admin pass
admin meinsm
tech tech
m@t#er f#cker - curse filter

Any FBI / CIA / NSA logins?

[Joe_Dragon]

Any FBI / CIA / NSA logins? with there names as the login

Telnet? this is a joke right!

[oldgraybeard]

What business does any manufacturer have enabling or using telnet on any products!

Re:Telnet? this is a joke right!

[HornWumpus]

They didn't, they grabbed a standard Linux image that included Telnet and never gave it a thought.

Re:Telnet? this is a joke right!

[HornWumpus]

It took me 30 seconds on Google to confirm. Busybox to start.

Re:

[oldgraybeard]

There is a standard Linux image that has telnet enabled and an iptable rule?

You mean you don't

[bobstreo]

Do a port scan with nmap for every device you have on your network? And every time you add one?

Then you can block things you don't want accessed from the Internet on your firewall/router...

Wait what?

[roc97007]

People still use Telnet?

Re:

[arkane1234]

Real developers use encrypted channels. It's not hard, in fact it's easy.

Re:

[SharpFang]

Try to create an IoT lightbulb with 8-bit microcontroller with 16KB RAM that runs SSH server.

Squeezing a TCP stack into these things is a challenge.

Re:

[JohnFen]

You need a TCP/IP stack to run a telnet server, too.

99% of the time, if your microcontroller can handle telnet, it can handle ssh. (This didn't used to be true, but hardware is amazing these days).

If you have a case in the 1%, the only responsible options are to use a different microcontroller or to not support TCP/IP at all.

Re:

[SharpFang]

"99% of the time, if your microcontroller can handle telnet, it can handle ssh. "

Bullshit.

Once you have the TCP stack, getting a Telnet access is a program of two dozen lines.

SSH, even if you can miraculously squeeze it into RAM, will take an hour to process the initial crypto handshake - your CPU is most usually 1MHz, and already heavily loaded by primary job of the device.

Of course you can use a different microcontroller. Increasing the price by 30% and falling behind the competition and losing most of yo

Re:

[JohnFen]

Well, there's no point in debating whether or not SSH is possible to implement on a given device, really. It depends on the specific device in question for sure.

However, even if you can't support SSH, that's no excuse to implement telnet. Telnet shouldn't be supported on any device that might be exposed to the internet, period. If you can't support a secure communications channel of some sort, then you shouldn't make the device.

Re:

[SharpFang]

Well, there's still the matter of what can be done through that Telnet.

Devices that can't support SSH sure as hell won't support a fully-featured shell. Most likely it will be a pseudo-shell that exposes a couple commands of diagnostics and maybe (not necessarily) control. If it's just diagnostics, no problem. If it's control, that may be a bit of a bother. It certainly won't be able to run a botnet, send spam or create DDOS.

My company produces devices that have Telnet port open. But since we're deploying t

Re:

[JohnFen]

we make sure the routers don't expose the port - and these routers are in restricted APN subnet with no simple access from outside anyway.

Yes, all of my comments are specifically about devices that can be accessed from a non-secured network. If the network is secure, then there's nothing seriously wrong with telnet, depending on the level of security required for the installation.

Obviously, the ideal situation is layered security, so that even if someone gained access to the secured network somehow, there is still strong security in play. For instance, all of the machines in my secured network communicate with encrypted channels anyway -- jus

Re:

[SharpFang]

That heavily depends on what the machines are. Small embedded is notoriously incapable of this due to inherent limitations. Big embedded - technically capable, but if you spend a month programming this stuff, you quickly find out how burdensome this gets, so you use insecure for development. Nowadays it's a rare case that the product actually enters the stage of "complete" as opposed to "good enough for production" so a lot of the debug stuff stays in, to be removed in the distant "when it's finished" which

Re:

[JohnFen]

All true.

My preference (and I'm not saying it's one that applies to all situations or to everybody) is that any devices that aren't powerful enough to be secured also do not use TCP/IP. Mostly, this is to avoid accidentally exposing a device to a network segment that I didn't intend for it to be exposed to. This way they can talk to a piece of bridge equipment (via USB or Bluetooth, typically) that connects everything to the LAN.

But I'm not personally constrained by factors like marketability or mass produc

Re:

[JohnFen]

Nowadays it's a rare case that the product actually enters the stage of "complete" as opposed to "good enough for production" so a lot of the debug stuff stays in, to be removed in the distant "when it's finished" which never comes.

I forgot to comment on this part -- I have seen this myself! It's a big (but not the only) reason why I simply don't trust any IoT devices that are currently on the market. I'd have to do security testing on them before use, and as long as I'm going to that effort, I may as well roll my own device so it works exactly as I want it to.

Re:

[JohnFen]

Real developers certainly do

Real incompetent developers do.

Telnet?! Really??

[JohnFen]

Even devices that have mediocre security know not to use telnet. Properly installed and configured, it's still a pretty severe security hole.