A hacker has deliberately leaked a list of 515,000+ logins. It turns out there are countless devices on the internet with open telnet ports. And loads of them have easily guessable username/password combos.
Wait. Telnet? The 40-year-old unencrypted terminal protocol? So simple it barely even deserves to be called a protocol?
Sad but true. In today’s SB Blogwatch, we ponder what the S stands for in IoT.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Better Old People.
What’s the craic, Catalin Cimpanu? He reports—“Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices”:
The list, which was published on a popular hacking forum, includes each device’s IP address, along with a username and password [usable via] Telnet. … These types of lists … are a common component of an IoT botnet operation. Hackers … use them to connect to the devices and install malware.
Using IoT search engines like BinaryEdge and Shodan, [we] identified devices all over the world. Some devices were located on the networks of known internet service providers (indicating they were either home router or IoT devices), but other devices were located on the networks of major cloud service providers.
And Nathaniel Mott adds—“Hacker Publishes Credentials”:
Attackers could use those credentials to gain remote access to the affected devices. That access could in turn allow the attackers to recruit the devices in botnets that would be used to conduct DDoS attacks, engage in ad fraud or assist with other schemes. Adding more than half a million devices to a botnet could be useful.
People who rely on these so-called smart devices might want to make sure their Telnet credentials are different from the manufacturer’s default username/password combination, hard to guess and private. Otherwise they might find out their internet-connected toaster is doing more than just burning their bread every morning.
But why Telnet? Nishit Raghuwanshi explains—“515,000 Servers, Routers & IoT Devices”:
Telnet is a client-server protocol used for communicating with a remote device or server. … The list containing IP addresses and … credentials was created by scanning the internet for devices exposing their Telnet ports.
So jsilence silently screams in German: [You’re fired—Ed.]
Why for kreisch sake is anyone still using telnet for anything?
Stop the press (ask your parents). WackZoner translates:
BREAKING: Insecure idea figured out to be insecure.
Yeah, why not use ssh? Aighearach explains why not:
Because microcontrollers or microprocessors have a hard time managing ssh. You can do telnet with a 2 cent, 8 bit microcontroller. ssh requires 32 bit, a bunch of flash, and more RAM than whatever else most embedded devices do.
Also, a lot of these devices are intended to be used on a LAN, and the developers don’t really feel responsible for your security if you put it on a routeable address. If that is reasonable of them or not depends on the rest of the context, especially when adding security would require more expensive parts.
But are these all real devices? lrgame1983 suspects not:
499,999 honeypots and 1 forgotten telnet server is what they actually are trying to say. … I run 3 of those 499,999 telnet honeypots and am amazed how many hits they all get. I’m not even trying to mimic a certain service, just a raw open port is enough.
Meanwhile, here’s Co BIY with a naughty suggestion:
Can someone take the list, remotely access all the devices, and change the passwords to something secure and totally random? Seems like a fun project!
Better Old People
Previously in And Finally
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Donald Clark (Pixabay)