Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday January 22 2020, @01:36PM   Printer-friendly
from the the-"S"-in-IoT-is-for-security dept.

Source: Hacker Leaks More Than 500K Telnet Credentials for IoT Devices

A hacker has published a list of credentials for more than 515,000 servers, home routers and other Internet of Things (IoT) devices online on a popular hacking forum in what's being touted as the biggest leak of Telnet passwords to date, according to a published report.

The leak—revealed in a report on ZDNet—demonstrates once again the inherent insecurity of the Telnet protocol as well as highlights persistent security flaws that could affect business networks as more and more so-called "smart" devices connect to the internet from home networks.

The hacker compiled the list–which includes each device's IP address, as well as a username and password for Telnet–by scanning the entire internet for devices that were exposing their Telnet port, according to the report. The bad actor then used factory-set default usernames and passwords and/or easy-to-guess password combinations to gain credentials, according to ZDNet.

The list the hacker compiled is known as a "bot list," which IoT botnet operations rely on to connect to devices and install malware. The hacker, who himself is a maintainer of a DDoS-for-hire—also known as a DDoS booter service–according to the report, had a vested interest in compiling such an extensive list because of a change in the way he conducts his business, according to ZDnet.

The one spot of good news for those owning devices on the list is that all the credentials leaked by the hacker are dated October to November 2019, which means some of the devices might now use different login credentials or run on different IP addresses, according to the report.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by zocalo on Wednesday January 22 2020, @03:09PM (1 child)

    by zocalo (302) on Wednesday January 22 2020, @03:09PM (#946837)
    My parsing of the story title was pretty much this:

    "Hacker Leaks More Than 500K Telnet Credentials..."
    WTF is this, the 2000s? (SSH was created in 1995, my first full replacement of Telnet CLI access with SSH was completed during 1999 on the back of our Y2K efforts)
    "...for IoT Devices"
    Still more accurately the "IoS" then? Why am I not surprised?

    While it may have its uses for debugging other text-based protocols (e.g. HTTP, SMTP) and the like, do any operating systems even install the Telnet *client* by default any more? I know none of the BSD and Linux distros I currently use do because I always end up installing it myself should I ever need it. Even if they have not implemented SSH, you can bet they have at least HTTP, if not HTTPS, which are supported out of the box by *everything* that might potentially be used to configure the PoS; sure, install the Telnet daemon as a last resort if you must, but is it *really* that hard to at least have it off by default since few, if any, are going to use it in the first place?

    Nothing at all, indeed.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Interesting) by Thexalon on Wednesday January 22 2020, @03:19PM

    by Thexalon (636) on Wednesday January 22 2020, @03:19PM (#946840)

    But how else will the manufacturer be able to find out how you are using your Internet-connected kitchen gadgets? We plainly need that data for ... research, I guess.

    Brian Lunduke's talk The Internet of Things is Going to Destroy Us All [youtube.com], given at an embedded Linux conference full of people who make IoT crap, is worth the 20 minutes of your time to watch it.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.