A hacker has reportedly dumped Telnet credentials associated with more than 515,000 home routers, servers, and Internet-connected devices on a popular hacker forum.
As per the hacker's own admission to ZDNet, the Telnet credentials were obtained after the hacker ran a search on the Internet for Internet-connected devices, including home routers, that exposed their Telnet ports.
Telnet is a protocol that allows connections between IoT devices and their hosts (remote computers) over a TCP/IP network. The protocol is used widely to connect millions of IoT devices to their hosts and works with popular operating systems such as macOS, Windows, Unix, and Linux.
Telnet credentials obtained from unprotected IoT devices that exposed Telnet ports
According to ZDNet, the hacker obtained Telnet credentials of more than 515,000 home routers, servers, and Internet-connected devices as well as each device's IP address and default usernames and passwords for the Telnet service. The hacker confirmed that the leaked Telnet credentials were dated between October and November 2019.
These credentials were then published by "the maintainer of a DDoS-for-hire (DDoS booter) service" who wanted to upgrade his DDoS service from exploiting IoT botnets to a new model that involved the use of high-putput servers from cloud service providers.
"This latest IoT vulnerability highlights the urgent need for a new set of security standards and protocols that deal with the rapid emergence of connected devices. Governments need to establish guidance, and manufacturers need to be held responsible for following best practices when designing ‘connected’ devices," said Stuart Sharp, VP of solution engineering at OneLogin.
"Standards won’t eliminate all vulnerabilities, but they could bring order to what is right now the wild west of IoT."
Gavin Millard, VP of intelligence at Tenable, said that the Telnet remote login protocol suffers from hilariously bad security issues alongside its cleartext twin FTP, that should have been removed from systems years ago and has no place on any device, especially those that are exposed to the internet.
"Irrelevant of protocol used though, the most concerning issue with the dataset is the 500,000 systems directly connected to the internet with easily guessed passwords. Whilst these systems probably don’t have any business critical information on them, they could easily be leveraged in an automated attack similar to the internet hobbling Mirai botnet from 2016.
"Admins should be regularly assessing the external attack surface of network ranges they own to identify old and easily exploited protocols including SMBv2, FTP and RDP, as well as flaws affecting newer protocols that could be taken advantage of by anyone that spends five minutes reading up on how to hack," he added.
IoT device owners must use SSH instead of Telnet protocols
Kieran Roberts, the head of penetration testing at Bulletproof, has the following advice for IoT device manufacturers as well as their users:
1. Telnet should not be used, as it is unencrypted and therefore vulnerable to man-in-the-middle attacks – SSH should be used instead.
2. Usernames and passwords are not a secure authentication method. This should be replaced with key-based authentication.
3. Root/Admin logins should not be allowed remotely. We should use non-privileged users to authenticate then escalate privileges."
This isn't the first time that vulnerabilities in IoT devices featuring poor security protocols have been exploited by hackers to steal credentials or to infect a large number of IoT devices with dangerous malware.
In 2017, a hacker launched two variants of the BrickerBot denial-of-service botnet within few days of each other to target thousands of IoT devices that ran a Linux tool package called BusyBox, featured publicly-exposed telnet-based interface and featured default factory passwords.