Telnet credentials for half-a-million IoT devices and routers released online

Telnet belongs in a museum, warn security specialists, but is still rolled into modern internet-connected devices

Telnet credentials covering more than 515,000 devices, including routers and IoT devices have been published online by an anonymous hacker.

The list was put together from a basic internet scan for exposed Telnet ports, which were then tested against a list of default user names and password, or commonly used user names and passwords.

Telnet, one of the earliest remote login protocols, belongs in the museum of hilariously bad security issues alongside its cleartext twin FTP

According to ZDNet, the list, dated October-November 2019, was published by the maintainer of a DDoS-for-hire service. Many of the devices are clustered on the edge of particular ISPs' networks, indicating that their routers have been distributed in a misconfigured state.

Security specialists, though, have argued that ‘ancient' protocols like Telnet should not even be incorporated or enabled on modern devices as they represent a big security threat.

"Telnet, one of the earliest remote login protocols, belongs in the museum of hilariously bad security issues alongside its cleartext twin FTP. They should have been removed from systems years ago and have no place on any device, especially those that are exposed to the internet," said Gavin Millard, vice president of intelligence at ‘cyber exposure' specialist Tenable.

Admins should be regularly assessing the external attack surface of network ranges they own to identify old and easily exploited protocols

He continued: "Regardless of the protocol used though, the most concerning issue with the dataset is the 515,000 systems directly connected to the internet with easily guessed passwords. While these systems probably don't have any business critical information on them, they could easily be leveraged in an automated attack similar to the internet-hobbling Mirai botnet from 2016.

"Admins should be regularly assessing the external attack surface of network ranges they own to identify old and easily exploited protocols, including SMBv2, FTP and RDP, as well as flaws affecting newer protocols that could be taken advantage of by anyone that spends five minutes reading up on how to hack."

The use of passwords, too, to secure devices has also proved problematic in the internet age.

In January last year, some 700 million email account credentials were dumped online, while even a company as large as Facebook had to force a password reset on 600 million users because it was found to have been storing credentials - accessible by 12,000 staff - in plain text.