IoT Credentials for the Taking in Public Space

Cybercriminals have specialized tools to scan the internet for poorly protected or insecure connected devices, but their job is even easier when the data is featured in public listings. Last week, security researchers found on anonymous text storage site Pastebin a set of more than 33,000 addresses and their telnet credentials for gadgets exposed on the web.

The list had been sitting online since June 11 when it had drawn fewer than 1,000 views, but its exposure grew from August 24 to more than 22,000 views, when security researcher Ankit Anubhav publicly alerted the infosec community of its existence. In total, the list included 33,138 entries, but not all of them were unique and a little over 2,000 had running open telnet servers.

Victor Gevers, the chairman of GDI Foundation non-profit doing responsible vulnerability disclosure, analyzed the Pastebin list and shared the above statistics, adding that, at the time of the examination, some of these could still be accessed with the leaked credentials. Most username and password pairs were the same for many entries and just 144 of them were unique combinations, albeit many of them came by default with the product.

Among the vulnerable devices were IP cameras, DVRs (digital video recorders) 4G modems and routers from various manufacturers. It is no surprise to find these types of IoT devices on the list, since it is well known that they swelled the infamous Mirai botnet in October last year. People often leave remote access enabled to connected gadgets and rarely change the password provided by the manufacturer. The gadget owners seem to believe the chances of a cybercriminal stumbling on their device is low. However, cybercriminals run automatic scans of large portions of the internet, collecting all products that respond to their queries.

Gevers and his team notified a large number of users with device IP address and credentials (many in China) in the Pastebin list; this and the generated publicity led to a great deal of hosts to refuse remote connections. Pastebin removed the post. Nonetheless, the data spent more than a month online and has been viewed thousands of times, leaving plenty of time for someone to hijack them for a botnet.