List of unsecured devices lived in obscurity since June. Now, it’s going mainstream.
Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 “Internet of things” devices and make them part of a destructive botnet.
The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.
It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.
Making a bad situation worse
“There’s not much new about devices standing out there with default or weak credentials,” Troy Hunt, a security researcher and maintainer of the Have I Been Pwned breach notification service, told Ars. “However, a list such as we’re seeing on Pastebin makes a known bad situation much worse as it trivializes the effort involved in other people connecting to them. A man and his dog can now grab a readily available list and start owning those IPs.”
Last year, several botnets came to light that drastically increased the potency of DDoS botnets, which use thousands of computers or other Internet-connected devices all over the world to bombard a single target with more junk traffic than it can process. Security site KrebsOnSecurity, for instance, was taken down for days by attacks that delivered a then-staggering 620 gigabits per second of network traffic. Around the same time, a French Web host reported sustaining onslaughts of 1.1 terabits per second
The botnets that made these once-unthinkable attacks possible carried names such as Mirai and Bashlight. Unlike more traditional botnets that infected Windows computers, the new generation targeted routers, security cameras, and other Internet-connected devices. According to OVH, the France-based Web host, the 1.1-terabit-per-second barrage was delivered by roughly 145,000 devices. Based on that figure, the 2,174 currently available devices in the list that came to light Thursday are capable of only a small fraction of that firepower. Still, that’s enough to bring plenty of smaller sites down almost instantly.
Some of the credentials included in the list suggest that some of the devices have already been conscripted into botnets. The username-password combination mother:fucker, for instance, is used by some IoT botnets once they infect a device. Even if a device is currently infected by such a botnet, it’s often possible for a rival botnet operator to seize control of it by causing it to restart, since most of the malware can’t survive a reboot. The ready availability of addresses means a single device could be taken over by multiple groups.
Overall, the list included more than 33,000 records, presumably because it had been updated over time from multiple Internet scans without redundant entries being removed. Some IPs in the list showed more than one username-password pair, either because that device had more than one account or because the device had been infected by malware on subsequent scans.
Of those, all but one—GMB182—were factory default passwords. GMB182 has often been used in the past by botnet malware.
Meanwhile, Gevers said the top five username-password combinations were:
People who use routers, cameras, and other IoT devices are reminded that remote access should be enabled only when there is good reason, and then only after changing default credentials to use a unique, randomly generated password, ideally of 12 or more characters, or assuming the device doesn’t allow that, one as long as possible. Even when remote access is disabled, people should always ensure the default password is replaced with a strong one.