This week a hacker released several large lists of Telnet credentials for routers, servers and Internet of Things (IoT) devices. Such lists can still pose a threat even if the credentials therein are outdated.
What Was on the Lists?
The lists containing device IP addresses, along with User IDs and passwords for Telnet services, were published on a popular hacking forum on the dark web. Telnet is a remote access protocol that is used to control devices over the internet.
The exposed data belonged to over 500,000 devices including various servers, IoT smart devices and home routers.
Why Did the Hacker Publish the Lists of Telnet Credentials?
Lists such as these can be used to conduct botnet operations and are commonly known as “bot lists”. Bot lists are used to connect to devices and install malware on the compromised devices.
According to the hacker, the lists were compiled by scanning the internet for devices that were exposing their Telnet port. He then tried factory-set default credentials and custom but easy to guess passwords to hack into the devices.
When asked as to why he published the lists, the hacker replied that he had updated his DDoS service and thus had no further use for them. According to the hacker, his service originally worked on IoT botnets. His new service now relies on high-output servers rented from cloud service providers.
What Risks Do the Lists Pose?
Since the lists are all dated between October and November last year, it is not certain how many of the credentials on the lists are still valid. Nevertheless, these lists can still pose a threat to the privacy of the people owning the devices on the lists.
Experts warn that, even if IP addresses and passwords have been updated after the lists were created, skilled hackers can still exploit the data. Misconfigured devices on the internet are usually clustered on the same Internet Service Provider (ISP). Hackers could use the IP addresses included in the lists, determine the ISP and then re-scan the ISP’s network to update the list with the latest IP addresses.
Attackers could then use these credentials to gain remote access to affected IoT devices, as in a recent case involving a Ring camera. In this incident, an eight-year-old girl was taunted by a hacker through a camera installed in her room. Other incidents have even involved internet connected children toys.