ZDNet recently reported that a hacker had published a massive list of Telnet credentials for more than 500,000 servers, routers and IoT devices on the dark web in what could be the largest known leak of Telnet passwords to date. Among the information included in the list were the IP addresses as well as the usernames and passwords for the affected devices.
The hacker, said to be running a DDoS-for-hire service, was able to compile the list by trawling the internet for devices with exposed Telnet ports and whether they were using factory-default or easy-to-guess usernames and passwords.
To put it simply, having access to the information would allow a threat actor to control the devices remotely over the internet. Clement Lee, Principal Consulting Security Architect, Asia Pacific, Check Point Software Technologies, explained to CSA that allowing easy access to such resources exposes businesses and private citizens to all sorts of malicious (even criminal) activities and may even subject them to legal liabilities.
“Even if the hackers are not interested in your personal/business' private data, you can become an unwitting resource in the participation of a wide-scale, coordinated attack against targeted entities,” Clement said.
Meanwhile, Boris Cipot, Senior Security Strategist, Synopsys Software Integrity Group, said that as the gatekeepers to sensitive information, devices and services, passwords act as the first line of defence against potential intruders. For this reason, he continued, “Everyone should have a strong, unique password to access those assets. Using a generic password on multiple accounts means that once it is exposed, all of the devices and services it was used on are potentially compromised.”
Boris also posed the question as to why anyone would leave a Telnet port open and accessible. “There is almost no reason that a normal user of a router, IoT device or a service on the internet would need text-based bidirectional access. I suspect that those who do need text-based bidirectional access would be aware of the threats they may be vulnerable to, and would protect their router with better passwords and other security measures,” he added.
Therefore, Boris surmised that many of the devices exposing Telnet ports probably had that functionality turned on by default, without users’ understanding or knowledge of what that may mean for the security of their devices.
Security Still An Afterthought
Both Boris and Clement agreed that when any internet-facing device, be it phones, IoT devices or routers are introduced into a home or business network, they need to be protected with strong passwords or passphrases which are different for every device and service – and NEVER left with the default settings unchanged.
“Make it a point to change your Wi-Fi password and check with the device manufacturer for firmware updates, every six months. Don't be unwitting participants to cybercrime,” commented Clement.
Nevertheless, Boris stressed that a significant share of the responsibility lies on the manufacturers of devices and service providers. He explained, “Functionality should be handled by importance and sensitivity. Functionalities that can make a device potentially vulnerable should not be easily settable. Such settings should be hidden, and should come with a warning of what could happen as a consequence.”
In Boris’ view, anyone with an understanding of cybersecurity will appreciate such warnings, as they demonstrate the manufacturers’ commitment to protecting users, while less security-minded users will learn the risks and maybe leave the setting off. He echoed Clement’s earlier statement by saying that such sensitive settings should never be left on by default.
“If the manufacturer needs this setting to be on to maintain service to the device, then they must find a manageable way for the user to grant them access, or use a special combination of username and strong passwords that are not easy to guess. Too often we see combinations like admin/admin or root/root. Devices with such pre-settings should not be allowed on the market from a cybersecurity standpoint. There are manufacturers that provide their users with better security and offer them safer devices, and I strongly believe this should be a standard,” Boris elaborated further.
As for why IoT security is still a major issue despite the growing awareness and concern around cybersecurity, Clement said this was due to IoT device manufacturers having very little incentive to invest significant attention to security at this point in time.
“This is especially true when the cost of consumer electronics keeps dropping and manufacturers are struggling to keep their margins to keep themselves competitive. Unfortunately, until there is legislation and/or market demands that would impact manufacturers’ bottom lines, I highly doubt that there will be any progression in IoT security,” Clement remarked.
Going to the list of leaked Telnet credentials, they were all dated between October and November of 2019. Thus, there’s a possibility that some of the devices affected would now be running on different IP addresses as well as usernames and passwords. But even if that were the case, ZDNet reported that the list remains incredibly useful for a skilled cyber attacker.