Tuesday, August 29, 2017

33,000 Telnet Credentials Leak Analysis


Last week 33000+ Internet of Things devices were posted on pastebin with their IP addresses and telnet credentials. I downloaded the leak to analyze and found some interesting things. I confirmed the leaked credentials by logging into some of the systems. The original leak has since been removed from pastebin.

In this post, I will look over the following three things:

  • Introduction to Telnet protocol
  • Physical location of the IP address (with a nice world map)
  • Frequency of the usernames/passwords that were used to log-in

What is Telnet?

Telnet allows for remote connection to a computer over port 23 and opens up a command-line interface. The telnet protocol is inherently insecure because it lacks authentication and encryption. To log-in to a computer using telnet you must provide a username and password (if this setting is on, default uses no authentication). The authentication for telnet is transferred in plain-text and can be sniffed by an attacker for re-use. The communication line when you open up a telnet connection is also in plain-text so your activity can be observed by a third-party.

Telnet has largely been replaced today by Secure Shell (SSH) which solve the security issues. Oddly enough, many Internet of Things devices still use telnet for remote administration. This is what we will be observing today.

Where in the World Are These Devices?

The original leak looked like this:

With the help of 'cut' I was able to strip the port number and credentials for a list of strictly IPs. I piped that output into 'sort' and 'uniq' to display only unique IPs. The result was 1738 unique IPs, significantly less than advertised in the leak.


I ran these IPs through an open-sourced tool: PyGeoIpMap. This Python script queries the freegeoip.net API to find out the state, coutnry, longitude and latitude of an IP address. It generates a map of the IPs as an output.


I made changes to the script to output a list of the corresponding countries with each IP. With 'sort' and 'uniq' I was able to see the different countries and frequencies with which they occurred.

We see that most of these devices are in China, India and Brazil. It makes sense that China and India would have a larger number of devices due to their large population, however, Brazil seems to have an oddly large number in this leak.

Most Used Usernames and Passwords

Using 'sed' I parsed the original list for unique usernames and passwords. Here are my findings.

Below is a list of all the usernames paired with their frequency.

Below is a list of all the passwords paired with their frequency.

We see that the #1 most common user:pass is admin:admin. Just another reminder to always change the default credentials on any devices that touches the Internet *cough* your home router *cough*

Conclusion

  1. Don't connect devices to the public internet unless absolutely needed.
  2. Don't use legacy protocols like Telnet, they are inherently insecure and there is a reason SSH exists.
  3. Don't forget to change the default credentials on all your devices.
  4. China and India have big populations.

Special thanks to pierrrrrrre for writing PyGeoIpMap which I used to create the map.

No comments:

Post a Comment