A hacker leaked passwords of over 5 lakh IoT devices
What's the story
With the rise of internet-connected devices, from phones and televisions to 'smart' lights, hackers now have new targets to breach into people's homes, harass them in horrifying ways. There have been numerous IoT hacks lately and the number could rise further as a hacker has leaked the passwords of more than half a million smart gadgets, including servers, routers, and smart-home devices. Here's more.
Details
Telnet credentials for servers, IoT devices exposed
The hacker posted credentials stolen from over 515,000 devices on a hacker forum. According to ZDNet, the list included each device's IP address as well as the username and password for its telnet service, the network protocol used to access and control a device over the internet. Basically, telnet ports allow remote control of devices over the internet or LAN.
Hack
How the hacker got these credentials
In order to get hold of these credentials, the hacker scanned the entire internet and looked for devices exposing their telnet ports. Then, after finding them, the person tried different techniques to predict their username-password combinations and compile the list. Among various used methods, the hacker tried using default username-password combinations as well as some commonly used ones.
Risk
Now, this puts all 515,000 devices at risk
The telnet username-passwords and their open availability on the internet puts all the 515,000 devices at risk. This allows a malicious threat actor to use the passwords to break into telnet ports and control IoT devices, install the malware in them. Imagine a hacker being able to control your home security camera, smart Android television or light bulbs. Scary!
Important
Some credentials could be outdated now
While the authenticity of the leaked credentials has not been verified (as that requires logging in and breaking into devices), the date on the leaked list is from October-November. This means that some of the devices might have moved to a different IP address or could be using a different username/password now. Notably, ZDNet recently scanned the internet and found many vulnerable/misconfigured home/enterprise devices.
Information
So, how to stay protected?
The ISPs and server owners hosting the vulnerable devices are being notified, but until they roll out security patches, users with IoT devices, routers are recommended to head over to the management portal of the device they have and change its factory-set, default password immediately.