cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

Telnet? Yes, that 40 yr old protocol!

"Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices". The list was shared by the operator of a popular DDoS booter service. Why not use SSH to manage these devices? Well the answer is  technical: microprocessors in these devices have a hard time managing SSH. You can do Telnet with a 2 cent, 8 bit microcontroller. SSH requires 32 bit, a bunch of flash, and more RAM than whatever else most embedded devices do. Sounds reasonable, right? Keep manufacturing costs down...

5 Replies
denbesten
Community Champion

Encryption does a great job of defending against man-in-the-middle attacks, but it does not defend against password disclosure lists.  Defending against this risk requires not exposing admin interfaces to the Internet and not shipping equipment with default passwords.

CraginS
Defender I


@AppDefects wrote:

"Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices". The list was shared by the operator of a popular DDoS booter service. Why not use SSH to manage these devices? ... 


Personal history on the subject:

 

1. When Apple re-incorporated Steve Jobs into the company, and replaced the aging Macintosh operating system with MacOS X, based on Jobs' NeXT development, they brought the Mac into the Unix world in 2001. Apple needed to strengthen the security of OS X over existing Unix flavors, and one of the many security-related modifications in OS X was to remove telnet and ftp, and include Secure Shell (SSH). Many at my company then were very happy, because we were already a mixed Micro$oft, Apple, *ix environment. This shift by Apple gave *ix developers a single platform for office and  dev work, and all  if us security types were very happy with the improved security. 

About two years later one of our PhD computer science types PROUDLY announced inside the company he had developed a custom mod package to insert several Unix utilities, including telnet and ftp, back into OS X. All of us in infosec executed a group facepalm and tried to tell him and his followers to cut that out. Fail.

 

2. When we were developing the formal ports & protocols program for the U.S. Defense Department network boundary protection, the first data service protocols on our list to ban across all network boundaries were telnet and ftp. Years later we would still see systems running telnet, and get requests to the review board for exceptions to allow it.

 

Craig

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Caute_cautim
Community Champion

@AppDefectsThis probably means by default all the ARM 9 chips embedded into buildings, devices and sundry items are wide open then - happy days for the cybercriminal and another way of infiltrating systems with no segmentation, segregation or controls whatsoever then.

 

Is this just a crazy human condition to keep repeating lessons learnt from years ago, only to be repeated every 5 to 10 years or more?

 

Regards

 

Caute_cautim

yevgeng
Newcomer I

Here is a hypothetical scenario: I'm manufacturing modules for the IoT integrations. I sell telnet modules (sticking telnet module on any device would allow it to communicate to every telnet-capable device) and ssh-capable modules (any ssh device will talk to ssh device with a feature to update sshd to the latest version, features and ciphers) which can also do telnet (for compatibility sake). Of course ssh-capable module would cost much more than the telnet-capable module. The differences would be outlined in description of devices offered, in the least of features. As a manufacturer I'm interested in selling both so I would offer both.  

 

My clients are various companies that want to deliver to market IoT products but don't really want to spend too many resources on developing communication part (there are already available solutions) or the sensor part (there are already available solutions) or the data aggregation analysis and reporting service (there are already available solutions). Instead, the whole business of this company would be to take these pre-existing solutions, put them together and sell them to a consumer as one package, obviously charging more than the sum of the acquired components\services. 

 

From purely business perspective, these clients would probably go for cheapest components that will do the job in order to reduce costs.  Yes, liability of data exposure and leak is concern, but as recent Equifax settlement has shown that it's $425 million per 147 million affected consumers (or about $3 per affected person). More over, only $31 million is allocated towards cash, the rest is allocated towards free credit monitoring service for a few years (which Equifax provides itself at $19.95 retail value and as any credit monitoring company provides significant discounts for large-volume purchases). So, if the company even will get sued, it is possible that it could settle with a free product  and a small fraction of its revenue. From business perspective much better alternative than increasing cost and complexity of your product and losing sales to the competition. 

reference: https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

Caute_cautim
Community Champion

@yevgeng    Lets hope you are not manufacturing in USA and a manufacturer under the auspices of the CCPA 2018 SB-327 "Connected Devices" = because sooner or later someone will come gunning for you to honour that piece of legislation.   Or perhaps, people might do their own due diligence and make their own decisions as to whether or purchase or not.   Given the average lifespan of IoT embedded electronics is at least 30 to 40 years. 

 

The model describe is probably very much like a Chinese one at the present time, just get it manufactured and worry about the consequences afterwards, but make sure you don't go through IEEE registration, but simply white list it under another IEEE registration.

 

And barking dogs, may not actually bark, but Meow instead.

 

Regards

 

Caute_cautim