Massive password leak amplifies IoT security concerns

Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet, arstechnica.com (https://arstechnica.com/information-technology/2017/08/leak-of-1700-valid-passwords-could-make-the-iot-mess-much-worse) reports.

The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.

People who use routers, cameras, and other IoT devices are reminded that remote access should be enabled only when there is good reason, and then only after changing default credentials to use a unique, randomly generated password, ideally of 12 or more characters, or assuming the device doesn't allow that, one as long as possible. Even when remote access is disabled, people should always ensure the default password is replaced with a strong one.

Gevers said he and other GDI Foundation volunteers are in the process of contacting as many currently affected host owners as possible in an attempt to lock down the vulnerable devices. Given the IoT's deserved reputation for poor default security and the lackadaisical approach many users have for securing their devices, there almost certainly are tens of thousands of other vulnerable devices that can be easily detected doing a simple Internet scan.

l.12-.057c.834-.407 1.663-.812 2.53-1.211a42.414 42.414 0 0 1 3.345-1.374c2.478-.867 5.078-1.427 7.788-1.427 2.715 0 5.318.56 7.786 1.427z" transform="translate(-128 -243)"/>