Report: Hacker Publishes Credentials for 500,000 Telnet Devices

(Image credit: Shutterstock)

ZDNet today reported that a hacker published the IP addresses, usernames and passwords used to access roughly 515,000 internet-connected devices via the Telnet protocol. That information could be used to remotely control the affected products.

The leaked credentials are said to belong to servers, routers and Internet of Things devices that exposed their Telnet port to the internet. Once the hacker found those devices, they either used the manufacturer's default account credentials or correctly guessed the username/password combination that secured the devices.

ZDNet said the credentials were leaked by a distributed-denial of service (DDoS) botnet operator who collected them between October and November 2019. It's possible that some of the devices have changed IP addresses or account credentials by now. (Not that it would be hard to find their new IP address with a quick search.)

Attackers could use those credentials to gain remote access to the affected devices. That access could in turn allow the attackers to recruit the devices in botnets that would be used to conduct DDoS attacks, engage in ad fraud or assist with other schemes. Adding more than half a million devices to a botnet could be useful.

People who rely on these so-called smart devices might want to make sure their Telnet credentials are different from the manufacturer's default username/password combination, hard to guess and private. Otherwise they might find out their internet-connected toaster is doing more than just burning their bread every morning.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • Math Geek
    the fact ANYTHING still uses Telnet is the real problem here. should be completely removed from the world at this point in the tech evolution of things.
    Reply
  • bit_user
    Math Geek said:
    the fact ANYTHING still uses Telnet is the real problem here. should be completely removed from the world at this point in the tech evolution of things.
    I'm pretty sure most ISPs block inbound connection to that port.
    Reply
  • bit_user
    It's possible that some of the devices have changed IP addresses or account credentials by now. (Not that it would be hard to find their new IP address with a quick search.)
    WTF? ...and how do you do that, Mott?

    I mean, if you have their DNS names, sure. But they probably just have the bare IPs, for most of these devices. Some of them might be findable on the same subnet, but I still wouldn't call that quick.

    People who rely on these so-called smart devices might want to make sure their Telnet credentials are different from the manufacturer's default
    ...or, don't use Telnet! Just shut it off, which most devices support.
    Reply
  • Co BIY
    Can some one take the list, remotely access all the devices and change the passwords to something secure and totally random?

    seems like a fun project!
    Reply
  • Math Geek
    Co BIY said:
    Can some one take the list, remotely access all the devices and change the passwords to something secure and totally random?

    seems like a fun project!

    that's one thing to do with it. if someone did not bother to change from the default settings, then they likely don't even use Telnet. log in, change the password and such and then you got a permanent way into whatever device it is. well, until the owner finally figures it out and turns it off or resets the device back to defaults.

    i doubt many people actually use Telnet but don't know enough to know to turn it off. it should not be enabled by default on any device especially consumer products with totally clueless users hooking it up.
    Reply
  • xodz4u
    @Math Geek

    Telnet doesn't have to be running on the destination server for it to be useful.

    Assuming the list contains more users/pass than just telnet client (port 23) --
    You download telnet then use it like this:
    telnet remoteIP remotePort
    So, you can use telnet on http port (80), ssh (22), or any apps commonly installed and running on ports on the remote system.
    Reply
  • bit_user
    Co BIY said:
    Can some one take the list, remotely access all the devices and change the passwords to something secure and totally random?
    Not legally.

    Also, by doing so, you'll be breaking anything that relied on accessing those devices via the compromised account - either by telnet or a more secure means.
    Reply
  • bit_user
    Math Geek said:
    that's one thing to do with it. if someone did not bother to change from the default settings,
    You don't know that it's truly the default settings. It could be just an easily-guessed or common password.
    Reply
  • bit_user
    xodz4u said:
    Telnet doesn't have to be running on the destination server for it to be useful.
    Yes. The username/password used for telnet logins are typically the same as used for ssh. So, even if telnet were disabled, the device might still be accessible, so long as the password is not changed.

    xodz4u said:
    just telnet client (port 23) --
    You download telnet then use it like this:
    telnet remoteIP remotePort
    So, you can use telnet on http port (80), ssh (22), or any apps commonly installed and running on ports on the remote system.
    Um, did you ever try this?

    Telnet just runs over raw TCP/IP. If you point a telnet client at a port running another protocol, it's not like it gives you a login prompt - you'll see whatever that protocol does, which most likely won't make any sense to you or be particularly useable via a telnet client.

    That said, I've used a telnet client to script some simple RTSP commands against a remote serer I was testing. So, depending on the protocol, it can definitely be useful.
    Reply