Security researchers have compiled a large list of access credentials that allow anyone on the Internet to gain access to home routers and more than 1,700 “Internet of things” devices and make them part of a destructive botnet.
The list of devices that can access telnet, is currently posted this Pastebin address, was originally posted in May, but has been updated several times since then. It has usernames and passwords for 8,233 unique IP addresses, 2,174 of which are still running open telnet servers as of Friday morning, Victor Gevers, president of GDI Foundation, a Netherlands-based non-profit that works to improve Internet security. Of those active telnet services, 1,774 were accessed using leaked credentials, Gevers said. Attesting to the poor state of IoT security, 8,233 hosts used only 144 unique password pairs.
It’s likely that criminals have been using the list for months as a way to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. However, for most of its existence, the list did not get much attention, with only 700 views. That changed quickly Thursday as well this Twitter post. By Friday afternoon, there were more than 13,300 views.
Making a bad situation worse
“There’s not much new about devices standing outside with default or weak credentials,” Troy Hunt, a security researcher and administrator of the hacked information service Pwned, told Ars. “However, a list like the one found on Pastebin makes the known bad situation much worse as it makes the influence in other people linked to them. A man and his dog can get a readily available list and start owning those IPs. .”
Last year, many botnets came to light increasing the power of DDoS botnets, which use thousands of computers or devices connected to the Internet all over the world to bombard a target with more than traffic Processable junk. The KrebsOnSecurity site, for example, was brought down for days by attacks that delivered an astonishing 620 gigabits per second of network traffic. At the same time, a French web host reported receiving attacks of 1.1 terabits per second.
Botnets that enable once-unthinkable attacks can carry names like Mirai and Bashlight. Unlike more traditional botnets that involve Windows computers, the new generation targets routers, security cameras, and other devices connected to the Internet. According to OVH, a France-based web host, the 1.1-terabit-per-second barrage was delivered by roughly 145,000 applications. Based on that figure, the current 2,174 facilities on the list that came to light on Thursday have a capacity of a small fraction of the electricity’s capacity. However, that’s enough to bring down many of the smaller sites almost instantly.
Some of the credentials in the list suggest that some devices have already been taken over by botnets. The common username-password username:fucker, for example, is used by some IoT botnets once they infect a device. Even if a machine is currently infected by such a botnet, it is often possible for a rival botnet operator to take control of it by causing it to reboot, as most malware cannot survive a reboot. Availability of addresses means that a device can be accessed by multiple parties.
In total, the list includes more than 33,000 downloads, presumably because it has been updated over time from various Internet scans without redundant entries being removed. Some IPs in the list show more than one username-password, either because the device has more than one account or because the device has been infected by malware on subsequent scans.
The list was compiled by someone who has published a host of useful login credentials and botnet source code that has proven useful to security professionals, Ankit Anubhav, a researcher with NewSky Security, told Ars. While some of the passwords that appear have changed, even those that are weak enough to be removed using brute force, a process that repeatedly puts the most common usernames and passwords into access devices— telnet has hopes of guessing the correct combination. Most of the 144 unique pairs, however, are factory-default certificates. The top 10 passwords, as mentioned by Anubhav, are:
- care-4,621
- 123456-698
- 12345-575
- xc3511-530
- GMB182-495
- Zte521-415
- password-399
- oelinux123-385
- jauntech-344
- 1234-341
Of those, all but one—GMB182—are factory default passwords. GMB182 has often been used in the past by botnet malware.
Meanwhile, Gevers says there are five username-password combinations:
- root: (blank)—782
- admin: admin-634
- root: root-320
- admin: default-21
- default: (blank) -18
People who use routers, cameras, and other IoT devices are reminded that remote access should be enabled only when there is a good reason, and then after changing the default credentials to use a unique , a randomly generated password, an example of 12 characters or more, or we think that the device does not allow it, one as long as possible. Even when remote access is disabled, people should always make sure the default password is replaced with a strong one.
Gevers said he and other GDI Foundation volunteers are in the process of contacting as many current affected host owners as possible in an effort to shut down vulnerable devices. Given the reputation IoT deserves for poor default security and the lack of a way many users have for protecting their devices, there are certainly thousands of other vulnerable devices that can easily be found in an Internet scan. that’s easy.