Answers to key questions on massive Telnet IoT data leak

Stefanie Smith 21 Jan 2020

Avast expert explains what consumers should know about the leak of a half-million security credentials for servers, home routers, and smart devices

A hacker recently leaked a list of more than a half-million Telnet credentials for servers, home routers, and smart devices, leaving them vulnerable to attack. Marko Zbirka, an Internet of Things threat researcher at Avast, answered key questions related to the incident – and why it matters to consumers.

Q: What is Telnet used for?

A: Telnet is protocol used to provide remote access to devices. The protocol was developed in 1969 to provide remote access to servers. Today it is widely included in IoT devices, but only used in specific cases, for example if the user requires remote and full access to the device’s underlying system, to remotely access advanced settings or to debug such a device

Q: Which devices commonly use the Telnet protocol?

A: We commonly see Telnet used by routers, IoT devices such as IP cameras, smart appliances, and even DVT2 set-top boxes.

Q: How can users tell if their devices’ Telnet port is exposed?

A: Users can check if their devices’ Telnet port is exposed by using features like Avast Wi-Fi Inspector, included in all versions of Avast Antivirus. Wi-Fi inspector scans the network, checking for devices using Telnet for empty, default, or weak passwords, and alerts users of these, so they can make a change to secure their network. It also checks for passwords that are known to be used by malware botnets in the past, including the Mirai botnet. Users can also check their router’s settings, by logging into their router’s administrative interface, to see if Telnet is enabled on the router. If Telnet is not being actively used, we recommend disabling it completely. We also recommend users check if port forwarding and UPnP are enabled, and unless these are being knowingly used, they should also be disabled.

Q: Where can users change their Telnet credentials?

A: It always depends on the device itself, so it’s important users consult the device's manual, and always follow best practices, such as changing default login credentials (username and password) when setting up a new device. Some devices have separate Telnet credentials, while in other devices the Telnet port can be accessed simply by logging into the device itself. Users should avoid using the same username and password on multiple devices and accounts at all costs. Cybercriminals often attempt to hack further accounts once they get their hands on a data breach including login credentials, as they are well aware that many users use the same login credentials across multiple accounts and devices. According to an Avast survey, 53% of Americans use the same password to protect multiple accounts. Finally, users should always update their devices’ firmware and software, to patch vulnerabilities that could potentially be abused by cybercriminals.  

Q: What can someone do with these login credentials? 

A: Once a hacker successfully gains access to the Telnet port, they can download and install malware and begin abusing the device. In most cases, hackers use connected devices to create a botnet, which they then can use for DDoS attacks on popular websites, for cryptocurrency mining and to scan the internet and the network the infected device sits on for other devices to infect and attack. Users can recognize that their device has become part of a botnet if they notice their device is responding slower than usual and if there is suspicious traffic going out of the device.

Q: Is it likely that other hackers are also scanning the internet, looking for devices with exposed Telnet ports?

A: Yes! We have 500 honeypots deployed around the world that were programed with open ports, such as TCP:23 (telnet protocol), TCP:22 (ssh protocol), TCP:80 (http protocol), all of which are typically found in IoT devices, thus appearing to be IoT devices to attackers. The purpose of a honeypot is to catch cybercriminal activity and then examine their attack methods. They exist to fool attackers into thinking that the devices they are targeting are real and contain real data. On January 19th, 2020, we saw cybercriminals attempt to access the Telnet port of our honeypots 347,476 times.

Q: How likely do you think it is that these devices are now using a different IP address and/or different login credentials?

A: It’s not very likely, as many of these devices are just set up and then simply used, so many users either login to their devices once while setting it up, if at all, and then never again. According to an Avast survey, 43% of Americans aren’t aware their router has a web administrative interface where they can log in to view and change their router’s settings. When it comes to routers, IP addresses sometimes change when the router is rebooted, or when switching from one Internet Service Provider (ISP) to another. A network is only as secure as its weakest link, and for this reason is very important to follow security best practices

--> -->