Half a Million IoT Device Passwords Published

It's a list of easy-to-guess passwords for IoT devices on the Internet as recently as last October and November. Useful for anyone putting together a bot network:

A hacker has published this week a massive list of Telnet credentials for more than 515,000 servers, home routers, and IoT (Internet of Things) "smart" devices.

The list, which was published on a popular hacking forum, includes each device's IP address, along with a username and password for the Telnet service, a remote access protocol that can be used to control devices over the internet.

According to experts to who ZDNet spoke this week, and a statement from the leaker himself, the list was compiled by scanning the entire internet for devices that were exposing their Telnet port. The hacker than tried using (1) factory-set default usernames and passwords, or (2) custom, but easy-to-guess password combinations.

Posted on January 22, 2020 at 6:09 AM • 16 Comments

Comments

Clive RobinsonJanuary 22, 2020 9:04 AM

@ ALL,

I know I'm getting old but,

along with a username and password for the Telnet service,

Jessh I thought the first advisory that Moses was given before he went to mount sinai was "God nolonger uses Telnet, nor should mankind". If I remember rightly the protocol was developed just so the "Let There Be Light" command could be sent when security was not an issue...

But seriously have people forgoton why Telnet was dropped like a lead kipper?

It's because it's plaintext all the way with usernames and passwords open to anyone along the way who can "traffic sniff"... Thus they can get your credentials, and be you...

MGDJanuary 22, 2020 9:40 AM

During work assignments as a field technician I have been directed to configure devices using telnet

MeJanuary 22, 2020 1:08 PM

At my last employer they used Telnet, I asked if we should use something like ssh instead, they replied, it's fine.

To be fair, the login credentials we used were shared across all employees to log into our tests systems.

MeJanuary 22, 2020 1:10 PM

To be clear, I am not saying that shared credentials are good, just that "sniffers" would likely already have them, so there isn't much to loose.

BillJanuary 22, 2020 2:53 PM

I use telnet all the time. It's great for testing TCP services such as SMTP, SQL, etc to see if server is accessible.

Ted HaleJanuary 22, 2020 3:52 PM

@Bill - I understand that use, but I use nc (netcat) instead. It has less overhead and doesn't confuse the service by trying to do capabilities negotiations (or whatever the telnet protocol calls it.)

Peter A.January 22, 2020 3:57 PM

@Bill: you use the telnet client program not the TELNET protocol. The client works then as a simple data pipe between your keyboard and the SMTP (or whatever) server. The TELNET protocol control sequences are not used at all.

Yes, it's more handy than nc or socat for simple cases.

Jesse ThompsonJanuary 22, 2020 3:57 PM

@Clive Robinson

Re: Telnet

Telnet is a *simpler* protocol than SSH (same for HTTP vs HTTPS). It lacks encryption, but as plenty of examples have demonstrated recently encryption is second cousins to useless when..

A: authorization is impossible (chicken and egg: how do you establish a secure connection to exchange host/client keys for the first time? How many users ignore the "host key has changed" warning and push through anyway, presuming that somebody in the org had to replace the hardware or reimage the firmware or something?)

B: the hardware lacks the memory and/or CPU power to performantly encrypt (I made the mistake of enabling HTTPS on an Idrac6 for a poweredge 1850 a decade back, and had to click through dozens of pages loading at 1 minute + per page — when they didn't time out, that is — just to turn it back off again)

C: you can't keep the encryption algorithms up to date. I've got a Sandvine SRP appliance that can no longer send me emails because it's SMTP/TLS protocols are older than my Postfix mailserver will accept. I'd have to nerf Postfix until *all* inbound mail stopped being secure from MITM just to bridge that gap, or Sandvine could upgrade their protocols (per their support, not happenin' bub) or... Sandvine could just send the mail SMTP with no TLS! My Postfix server supports that, it wouldn't endanger anyone else's email, the reports SRP sends me aren't sensitive AND SRP is on the same physical subnet as Postfix!!#@$@#$

D: You need to proxy/CDN the requests without handing the likes of Cloudflare full control over your website's digital identity. 🙄


While for control over IOT devices D might not matter, A through C can represent some pain points.


Another part of the problem is that the population of people who care enough and understand enough about digital security to be comfortable with whatever obstacles using SSH or TLS will throw in their path is such a small percentage of such a small percentage of the general public that it could be used to illustrate homeopathic practices.

The average person thinks "I want to be secure, but I want the vendor to be as responsible for that status as they are for the product working in the first place". EG something bad happens, vendor is at fault and vendor is on the hook to make things right again.

Most vendors in turn rely upon the phenomenally low frequency of customer-facing problems cropping up to cover their butts. What percentage of IOT refrigerators get hacked in such a way that the owner of the refrigerator is irreparably harmed? After all it is hard to crypto-locker a fridge. "Pay 3BTC to this address or we won't let the door open so you can get to your milk"? "Meet our demands or we'll tell everyone what your favorite flavor of ice cream really is"?

That's why every dollar of extra expense to secure a fridge and every iota of extra effort the customer has to expend to operate their fridge pushes that product directly out of marketability.

Telnet is simple. HTTP is easy. Doorknobs with no tumbler lock require you to keep track of no keys, which is why my bathroom door has no tumbler lock.

And probably most vitally, a terrible password with a default username for an SSH service defeats virtually every other secure feature of the protocol in one swoop.

Ergo SumJanuary 22, 2020 5:52 PM

@Jesse Thompson...

Telnet is simple. HTTP is easy.

Security is inconvenient and hard...

Doorknobs with no tumbler lock require you to keep track of no keys, which is why my bathroom door has no tumbler lock.

You do have a tumbler lock for the entrance door, don't you? You may even have a "Ring" for your entrance door...

Clive RobinsonJanuary 22, 2020 9:40 PM

@ PeterA, Bill, Ted Hale,

Yes, it's more handy than nc or socat for simple cases.

It's also "less suspicious" as the Telnet Client usually comes with any --non MS-- OS as a standard util or comms package.

@ Jesse Thompson,

You trying to steal my claim to being the person with the longest posts ;-)

With regards,

...but as plenty of examples have demonstrated recently encryption is second cousins to useless...

Yes a point I make from time to time for various reasons. But encryption does give you communications contents privacy by default on the wire against anything other than deliberate attempts to break it.

Yes it's a bit of a "fig leaf argument" but the point does make a difference.

But lets look at your points,

A: authorization is impossible

The problem you describe is several centuries if not millennia old. Befor 1973 and the publication of the RSA paper, all encryption required two things,

1, An independent and secure side channel to exchange a secret.
2, A secure way to store the secret from others.

Diplomats used to carry their code books to their posting and then hand them to their Secretary who would lock them up in a draw or a few centuries later a safe.

The RSA paper alowed for a short while people to apparently not need either the secure side channel or the storage of shared secrets. Since the 1980's various other papers have indicated that Quantum Computing could exist, and later that RSA and other methods of encryption were vulnerable.

However, with regards IoT and other "setup locally" devices, the manufacturer could fairly easily setup the production line such that a unit could have a random pasword generated and printed on a peel off lable on the device. I know this can be done easily because I used to design FMCE equipment that needed units to be able to communicate using shared secrets. Thus had to design it into the production process.

B: the hardware lacks the memory and/or CPU power to performantly encrypt

This is generaly not --or should not be-- a problem these days with symmetric encryption. However the problems with asymmetric or PubKey encryption are legion and have been for as long as it's been in use. The simple fact is there is a very large elephant in the room, which is all asymmetric encryption has a very high work factor to get even a modicum of security. If it were not of use in ways symmetric encryption can not do, it would have died of a "still birth", and the world we currently live in would have been very very different.

C: you can't keep the encryption algorithms up to date.

I lay the blaim for this problem directly at the feet of NIST as my comments for the past decade or so on this blog show.

All NIST had to do was two things neither of which would be difficult,

1, Design a framework for the updating of encryption algorithms "in place" (ie Plug and Play).

2, Add that the framework is a required part of the standard for approval.

As long as their is any excuse then the "race to the bottom" mentality of industry managment will hold sway, thus obsolescence will be prefered to upgradability as it's easier to do and more profitable.

D: You need to proxy/CDN the requests without handing the likes of Cloudflare full control over your website's digital identity.

This is a political not technical problem. The fact that Cloudflare and others in effect form a cartel and force a lack of security on everyone is not one that can be solved technically. Nor is "the free market" offering alternatives which should give you an idea of why I say cartel.

... is such a small percentage of such a small percentage of the general public that it could be used to illustrate homeopathic practices.

Which is the same problem we have with modern cars. People do not want to know or understand what goes on under the hood, they just want to "get in and go".

Do you blaim them?

It's an interesting question. Look at it old school style, "What would society be like if we all practiced Fieldcraft level OpSec?" The answer would be "Like living in a police state"...

So arguably it's our fault as technologists for not delivering "turn key security".

Whilst the Telnet client does have some uses, Telnet offers no security or even the illusion of security and the protocol is old very old it's RFC15 if memory serves correctly. Back then HTTPS would have been impossible not only had the RSA scheme not been thought up, hardware of the time could not have supported it in any way. If memory serves it was about the time Neil Armstrong took his "one step..." and "rope memory" and a bunch of NAND gates was what got him there.

SpaceLifeFormJanuary 23, 2020 3:58 PM

Telnet is great!

As long as you only use it on your LAN.

With totally trustable devices.

That can not leak.


Nurse, null modem cable please.


vas pupJanuary 24, 2020 2:24 PM

When collective 'Big Brother' is not in high tech environment, they just doing their dirty work in old fashion (20 century) way versus hacking IoT devices around here(21 century):

Russian bedroom camera in aircon 'spied on activist'
https://www.bbc.com/news/world-europe-51240977

"A year after opposition activist Anastasia Shevchenko was placed under house arrest, she has discovered a spy-camera was installed in her bedroom and secretly filmed everything for months.

"From the pictures we realized they'd installed the camera opposite Mum's bed, on the air conditioning unit.

"There were video and audio recordings; all our conversations. Now the investigators are making her go through it all to confirm it's authentic. We never expected that they'd stoop so low."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.