Hacker Allows Leak Of 500,000 IoT Devices, Servers and Routers’ Credentials

This week, a significant event happened within the cybersecurity world, one that left ripples across the murky lengths of the industry. This event involves a hacker letting over 515,000 home routers, Internet of Things (IoT) devices, and servers that have their details, passwords included, be revealed to the world.

The list was
initially posted by way of a popular hacking forum and included the IP address,
username, and password for each device. All these devices are based on the Telnet remote access protocol used to control various devices through
the Internet.

Through external
expert opinions and the leaker himself speaking out, it’s concluded that the
list was compiled through a complicated procedure. First was a search of the
entire Internet for various devices that had their Telnet port exposed. When
that was gathered, the hacker made use of custom, easy-to-guess password
combinations or factory-set default credentials to gain access to the devices. 

Lists compiled
like they are here, are referred to as bot lists. Bot lists are integral parts
of the standard IoT botnet operation. Hackers comb the Internet to build such a
bot list, before connecting with them and installing various kinds of malware
on them.

These lists tend
to be private tools, generally kept secret to maintain that “edge,” but there
are cases where bot lists have leaked to the public. In recent memory, a list
of 33000 home router
credentials was leaked, also
based on the Telnet protocols. As far as common knowledge stretches, the latest
leak marks the largest one in Telnet’s history.

As more and more information comes forth about the matter at hand, it’s been concluded that the individual who leaked the information was very familiar with botnets. The individual in question was a maintainer of a DDoS-for-hire service, selling Denial of Service attacks to whoever pays him enough. When the inevitable question came as to why the man leaked all the information, it was revealed that he had upgraded his DDoS network to move away from IoT botnets. The new model, according to the maintainer, involves the use of high-output servers he rents from cloud service providers.

All the
information that the hacker had released was dated around the October-November
region of 2019. This means that some devices within the list could have had its
login details or IP addresses changed, or even taken fully off the Internet.
Even if as much as 20% became unusable throughout the few months, it was used,
that still leaves more than 412 million devices up for grabs.

These devices,
through the use of IoT search engines like Shodan or BinaryEdge, can be seen
spread across various known internet service providers (ISPs) and cloud service

A security expert within the IoT industry, one who chose to remain anonymous, explained that tools such as these are incredibly useful for various hackers across the globe.

An interesting fact to keep in mind is that these sorts of misconfigured devices tend to be localized to certain ISPs instead of being evenly spread across the Internet. The reason for this is that the staff of said ISP had misconfigured devices when they are deployed to their consumer base. Misconfiguring every single device put out by a specific ISP is a veritable harvest for hackers like the one mentioned in this article.

Furthermore, if a
hacker was diligent enough, he could make use of an old IP to determine the
service provider. With this ISP acquired, the hacker simply re-scans the
network of said ISP to update the list. This update includes new IP addresses
as well.

A new chapter
comes in the constant war against hackers and cybersecurity experts, with the
level of complexity only rising as the sheer amount of users that make use of
IoT rises. In the end, no one party will ever achieve victory, with the cybersecurity
experts only being capable of stemming the worst of the tide.