Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 14 submissions in the queue.

Hacker Leaks More Than 500K Telnet Credentials for IoT Devices

posted by martyb on Wednesday January 22 2020, @01:36PM   Printer-friendly
from the the-"S"-in-IoT-is-for-security dept.

Fnord666 writes:

Source: Hacker Leaks More Than 500K Telnet Credentials for IoT Devices

A hacker has published a list of credentials for more than 515,000 servers, home routers and other Internet of Things (IoT) devices online on a popular hacking forum in what's being touted as the biggest leak of Telnet passwords to date, according to a published report.

The leak—revealed in a report on ZDNet—demonstrates once again the inherent insecurity of the Telnet protocol as well as highlights persistent security flaws that could affect business networks as more and more so-called "smart" devices connect to the internet from home networks.

The hacker compiled the list–which includes each device's IP address, as well as a username and password for Telnet–by scanning the entire internet for devices that were exposing their Telnet port, according to the report. The bad actor then used factory-set default usernames and passwords and/or easy-to-guess password combinations to gain credentials, according to ZDNet.

The list the hacker compiled is known as a "bot list," which IoT botnet operations rely on to connect to devices and install malware. The hacker, who himself is a maintainer of a DDoS-for-hire—also known as a DDoS booter service–according to the report, had a vested interest in compiling such an extensive list because of a change in the way he conducts his business, according to ZDnet.

The one spot of good news for those owning devices on the list is that all the credentials leaked by the hacker are dated October to November 2019, which means some of the devices might now use different login credentials or run on different IP addresses, according to the report.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Hacker Leaks More Than 500K Telnet Credentials for IoT Devices | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Funny) by DannyB on Wednesday January 22 2020, @03:21PM (1 child)

    by DannyB (5839) Subscriber Badge on Wednesday January 22 2020, @03:21PM (#946841) Journal

    We need: Security Hardened Internet of Things (SHIoT)

    First, run Telnet on a non standard port. That way nobody could ever find it.

    Second, 500,000 different Telnet credentials for devices? Seriously? Can't everyone get together on this and come up with a single industry standard Telnet credential for all devices? A single perfect secure password. [mostsecure.pw] that is ISO 27001 compliant.

    Third, require strict secrecy of this credential. Company T-shirts should be worn inside-out to conceal the password.

    It seems like anyone simple minded could adopt security measures like this.

    --
    When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Funny=2, Total=3
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   5  

  • (Score: 0) by Anonymous Coward on Wednesday January 22 2020, @09:46PM

    by Anonymous Coward on Wednesday January 22 2020, @09:46PM (#947030)

    Instead we get the Internet of Things That Suck (IoTTS). Too bad it isn't closer in spelling to some curse word. maybe in another language??