Attacks against Teltonika Networks SMS Gateways

    Published: 2025-04-24. Last Updated: 2025-04-24 14:57:37 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    Image of Teltonika RUT956 SMS GatewayEver wonder where all the SMS spam comes from? If you are trying to send SMS "at scale," there are a few options: You could sign up for a messaging provider like Twilio, the AWS SNS service, or several similar services. These services offer easily scriptable and affordable ways to send SMS messages. We have previously covered how attackers attempt to steal related credentials to use these services even cheaper (for free!). 

    But if you are not into cloud or SaaS, maybe you instead like to send your own SMS messages directly? Or would you like to become the next Twilio? In this case, special SMS gateways are available. One company making these gateways is Teltonika Networks. They offer a wide range of products to send and receive SMS, including devices for IoT remote management and enterprise SMS gateways.

    But of course, you need to authenticate to send SMS messages. Nobody wants complex login credentials and passwords. Teltonika offers simple default credentials: "user1" as user name, and "user_pass" as password.

    I am surprised it took so long for us to see some scans for these well known credentials. For example:

    /cgi-bin/sms_send?username=user1&password=user_pass&number=00966549306573&text=test

    This request will send an SMS "test" to 00966549306573, a number in Saudi Arabia. Oddly enough, I ever so often see Saudi Arabian numbers used in SMS related scans.

    Here are a few other passwords I have seen, all for the user "user1":

    1234
    admin
    p8xr6tINNA0eGBIY
    root
    rut9xx
    teltonika
    test
    user1

    The long "random" password is interesting. It was used several times, and I am not sure if that is some kind of "support" backdoor. The "rut9xx" password makes sense as the model numbers for the industrial Teltonika gateways start with "RUT", like RUT140, RUT901, RUT906..., 

    Numbers I have seen as a recipient:

    00966549306573 (Saudi Arabia)
    0032493855785& (Belgium)

    As usual, change default passwords, particularly for more professional equipment like this: Throw it back at the vendor (HARD!) if it comes with a default password.

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    Keywords: sms teltonika
    0 comment(s)
    ISC Stormcast For Thursday, April 24th, 2025 https://isc.sans.edu/podcastdetail/9422

      Comments

      Login here to join the discussion.


      Diary Archives