The hacker compiled the list by scanning the internet for devices exposing their Telnet port. Here are two experts’ valuable comments.
Recently, a hacker published a massive list of Telnet credentials, consisting of leaked passwords to more than 500,000 servers, routers and IoT devices, including IP addresses, along with the usernames and passwords for the Telnet service.
To help readers learn from what happened, CybersecAsia shares the views of two cybersecurity experts regarding this cyber incident.
Boris Cipot, Senior Security Strategist, Synopsys Software Integrity Group: As the gatekeepers to sensitive information, devices and services, passwords act as the first line of defence against potential intruders. For this reason, everyone should have a strong, unique password to access those assets. Using a generic password on multiple accounts means that once it is exposed, all of the devices and services it is used on are potentially compromised.
The other question at hand is why would anyone leave a Telnet port open and accessible. There is almost no reason that a normal user of a router, IoT device or a service on internet would need text-based bidirectional access. I suspect that those who do need text-based bidirectional access would be aware of the threats they may be vulnerable to, and would protect their router with better passwords and other security measures. Many of the devices exposing Telnet ports probably had that functionality turned on by default, without users’ understanding or knowledge of what that may mean for the security of their devices.
Back to the importance of strong passwords: internet-facing devices, be they phones, IoT devices or routers, need to be protected with unique passwords or pass phrases. However, most of the responsibility lies on the manufacturers of devices and service providers. Functionality should be handled by importance and sensitivity. Functionalities that can make a device potentially vulnerable should not be easily settable. Such settings should be hidden, and should come with a warning of what could happen as a consequence.
Anyone with an understanding of cybersecurity will appreciate such warnings, as they demonstrate the manufacturers’ commitment to protecting users, while less security-minded users will learn the risks and maybe leave the setting off. Such sensitive settings should never be left on by default.
If the manufacturer needs this setting to be tured on to maintain service to the device, then they must find a manageable way for the user to grant them access, or use a special combination of username and strong passwords that are not easy to guess. Too often we see combinations like admin/admin or root/root. From a cybersecurity standpoint Devices with such pre-settings should not be allowed on the market. There are manufactures that provide their users with better security and offer them safer devices, and I strongly believe this should be a standard.
Clement Lee, Principal Consulting Architect, Asia Pacific, Check Point Software Technologies: Servers, network routers and IoT devices are commonly accessible from public networks (for example, malls, cafes, free public WiFi) and/or the internet. Such wiFi is inherently insecure and therefore; so is your home network. Allowing easy access to such resources exposes businesses and private citizens to all sorts of malicious (even criminal) activities and may even subject them to legal liabilities. Even if the hackers are not interested in your personal/business’ private data, you can become an unwitting resource in the participation of a wide scale, coordinated attack against targeted entities.
When you introduce any component into your network (home or business), ensure that any sort of administrative function to the device MUST HAVE access control credentials and that they are NOT left at the factory default id and password. Make it a point to change your WiFi password regularly, and check with the device manufacturer for firmware updates, every six months. Do not be unwitting participants to cybercrime.
At this point in time, IoT device manufacturers have very little incentive to invest significant attention on security. This is especially true when the cost of consumer electronics keeps dropping and manufacturers are struggling to keep their margins to competitive. Unfortunately, until there is legislation and/or market demands that would impact manufacturer’s bottom lines, I highly doubt that there will be any progress in IoT security.