Banner Day for Botnets: 1,700 IoT Credentials Leaked

A list of login credentials for home routers and more than 1,700 internet of things (IoT) devices has been published on Pastebin.

The list contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open Telnet servers as of the end of last week. Victor Gevers, chairman of the GDI Foundation, told Ars Technica that out of those, 1,774 remain accessible using the credentials.

More telling, there are just 144 unique username-password combinations being used across 8,233 hosts.

Gevers also said that GDI Foundation volunteers are contacting the affected host owners to help lock down the devices.

The list was posted earlier in the summer but didn’t attract much attention until a researcher at NewSky Security posted a portion of the list last week via Twitter, driving more than 13,300 views.

That researcher, Ankit Anubhav, said that the vast majority of the leaked credentials are factory-default combos, with simple passwords that include admin, 123456, and the time-honored “password.”

IoT devices are often targets for botnet operators, who then use them to carry out DDoS operations and other nefarious activities. Criminals target IoT devices that have Telnet service running and which are exposed to the internet; and they generally go about trying to authenticate these with common username and password combinations. IoT devices are handy additions for botnets—easily enslaved and, because they lead an existence that tends to be free of human interaction, can be compromised without notice for long periods of time.

Because users often don’t change default passwords, IoT devices form the backbone of the Mirai botnet; and there are others, like BrickerBot, which carries out permanent DDoS. But Brian Vecci, technical evangelist at Varonis, noted that not only do consumers need to be mindful of what they put on their network and do what they can to secure their devices, but manufacturers have an obligation to make security an essential part of the design as well.  

“Not everyone is going to take the time to make sure everything on their home network is secure—many won’t even know that they should,” he said, via email. “Any device using a single set of default credentials for everyone will inevitably have some percentage that end up installed and never configured, adding another weapon for hackers to abuse.”

Device manufacturers need to build better security into the design of their products and services to ensure that even if a consumer doesn’t take the time to customize the device, it’s not accessible and inviting abuse, he added.

“Some manufacturers, for example, are beginning to minimize the risk of devices being hacked by randomizing factory default credentials and disabling remote access by default to,” he added. “Educating users about security needs to be a priority for all manufacturers. Botnets hijacking devices will continue to be a growing problem until security and privacy by design are par for the course for everyone—from device makers to end users.”

What’s Hot on Infosecurity Magazine?