Thousands of IoT Devices Impacted by Published Credentials List
29.8.2017 securityweek IoT
Over 1,700 Internet of Things (IoT) devices worldwide are potentially exposed to hackers after a list containing their IPs and default login credentials emerged on Pastebin.com.
Initially published in June, the list remained mostly unnoticed until last week, after high-profile security researchers retweeted a link to it. The view count for the list had stayed below 1,000 as of Thursday, August 24, but spiked above the 22,000 mark on Saturday.
The list has been updated several times since the initial post and contained over 33,000 entries at the end of last week, when it was removed from the website. For each of the 33,138 IPs on the list, Telnet credentials (username and password) were included.
After having a look at the list, Victor Gevers, chairman of the GDI Foundation, revealed that it only contained 8,233 unique IP addresses, as many entries were duplicates. He also noted that about 2,174 of the devices were still running open Telnet services, and that only around 1,775 of them could still be accessed using the credentials on that list.
Some of the insecure credentials exposed in the list include username/password pairs such as root:[blank], admin:admin, root:root, and admin:default. These have been revealed before to put a great deal of devices and users at risk.
Over the past several days, Gevers has been hard at work notifying impacted owners or ISPs of the exposed devices, most of which are routers. So far, he sent over 2000 emails to affected parties and he’s happy with the received response, Gevers told SecurityWeek on Monday morning. Over half of the reachable IPs are located in China.
“We got some nice feedback from a few ISPs because we wrote the warning emails in a way that they only need to forward them to their customers. From 2,174 reported devices 113 were direct identifiable to owners. The others we addressed to the ISPs with a request to forward our mail to their customers. In Asia we asked the GovCERTs for help getting this to the right person,” Gevers said.
He also revealed that some of the IPs were honeypots, and that the organizations operating them have already contacted him on the matter. A newly performed scan has revealed some changes in the number of devices running Telnet services. Some of the devices have closed the vulnerable ports, while others opened them.
The issue of improperly secured IoT devices is not new, as botnets such as Mirai and BASHLITE have been harnessing the power of such devices to launch massive distributed denial of service (DDoS) attacks.
According to Gevers, however, the response received to the warnings sent over the past week were encouraging: “People are taking action. We saw some devices being secured on Sunday morning, others on Saturday evening. Before, an email sent on Friday afternoon wouldn’t receive a response until Monday, at best.”
What Gevers couldn’t reveal was the number of devices still impacted. The scan was ongoing at the time of this article.