Telnet Credential Leak Reinforces Bleak State of IoT Security

The disclosure and recent analysis of thousands of leaked telnet credentials paints a bleak picture of the state of IoT security.

Shortly after the Mirai attacks, Johannes Ullrich of the SANS Internet Storm Center (ISC) decided to try a little experiment. He put a security camera DVR online—a poorly secured one with default credentials—and observed how long it would take to become infected, and how often.

He wasn’t disappointed. Ullrich said last October that by the minute, bots were hitting the DVR’s IP with telnet attempts, eventually overwhelming the server to the point it had to be constantly rebooted. Not all the attacks worked, Ullrich said, but a few times an hour, one of the bots would get in with the correct credential.

Following last week’s viral explosion of a list of telnet credentials and associated IPs, Ullrich decided to repeat his experiment. The results were equally disheartening, and paint a consistent and unimproving picture of the overall insecurity of the internet of things.

This time, Ullrich said he used a Chinese DVR manufactured by Anran in its default state, which means it can be accessed using a well-known password of “xc3511.” He also rigged the DVR so that it could be continuously infected; some malware will disable telnet after an infection, in order to keep other attackers out. Ullrich hooked his DVR up to a remotely controlled power outlet that could be set to power cycle the connected DVR every five minutes, wiping any malware from memory. He also blocked any outgoing traffic, preventing his device from attacking others online.

He started logging attacks last Thursday on what he called a “normal” Comcast business connection with five IP addresses. Ullrich kept the experiment going for more than 45 hours, logging 36 million packets in the process. There were 10,143 connections to the DVR, and 1,254 different IPs logging in with the “xc3511” password—that amounts to one every two minutes.

“The rate was what I expected,” Ullrich told Threatpost. “I had done some smaller experiments like this, and within a few minutes, the DVR is being exploited.”

Ullrich said that a Shodan search turned up information on 592 of the 1,254 IPs, with many of them routers, DVRs and other similar connected devices from large manufacturers such as TP-Link, D-Link and others.

Last week’s credential leak—the passwords were available on Pastebin since June but only went viral following a researcher’s tweet—still has researchers scrambling to notify device owners and determine whether devices are still reachable.

Researcher Ankit Anubhav has since taken his Pastebin down and has completed his analysis of the available IPs and credentials. Anubhav found the original Pastebin, which belonged to a hacker known as Miraipots. As of Saturday, the Pastebin has been viewed more than 36,000 times; it also contained a number of other files referencing known attacks such as “Mirai Bots,” “Mirai-CrossCompiler,” “Apache Struts 2 RCE Auto-Exploiter v2)” and “Slowloris DDoS Attack Script.”

Researcher Victor Gevers, founder of the GDI Foundation, continues to manually look at each IP and notify each of the owners in an attempt to have them change their credentials or close off telnet access. The list contains 33,000 IPs and credentials, but many of those IPs are duplicated throughout. As of last Friday, Gevers said 1,775 were still reachable.

Ullrich, however, thinks that in the big picture, that number is a relatively small blip.

“In short: 1,700 additional vulnerable systems will not matter. We do see a pretty steady set of 100,000-150,000 sources participating in telnet scans,” Ullrich said. “This problem isn’t going away anytime soon. If people haven’t heard yet about vulnerable DVRs and default passwords, then they will not read [the SANS report] either.”

Gevers told Threatpost the process is slow and that he’s attempting to learn whether the devices are still online and if they’re accessible with the leaked credentials. He’s also trying to determine who has—or still is—connected to the device, whether it’s a real system or a honeypot.

“These devices were [notified], so I am curious to see how good the follow-up is and what is exactly out there,” he said.

In the meantime, Ullrich said manufacturers must be responsible for the security of connected devices, before legislators step in.

“Devices have to come ‘reasonably secure’ out of the box. The device I am using cannot be secured by the end user. I don’t think there is even a firmware update (I looked a while ago, not recently), and the ‘xc3511’ password cannot be changed,” Ullrich said.

“It remains to be seen if legislation is needed to secure these devices, or some form of certification that would be reflected in a simple to identify logo,” he added. “But I do think we may end up with some kind of legislation that may prohibit the sale of devices that are not considered safe, similar to what we have for food or electrical appliances.”

Suggested articles