My next class:

Attacks against Teltonika Networks SMS Gateways

Published: 2025-04-24. Last Updated: 2025-04-24 14:57:37 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Image of Teltonika RUT956 SMS GatewayEver wonder where all the SMS spam comes from? If you are trying to send SMS "at scale," there are a few options: You could sign up for a messaging provider like Twilio, the AWS SNS service, or several similar services. These services offer easily scriptable and affordable ways to send SMS messages. We have previously covered how attackers attempt to steal related credentials to use these services even cheaper (for free!). 

But if you are not into cloud or SaaS, maybe you instead like to send your own SMS messages directly? Or would you like to become the next Twilio? In this case, special SMS gateways are available. One company making these gateways is Teltonika Networks. They offer a wide range of products to send and receive SMS, including devices for IoT remote management and enterprise SMS gateways.

But of course, you need to authenticate to send SMS messages. Nobody wants complex login credentials and passwords. Teltonika offers simple default credentials: "user1" as user name, and "user_pass" as password.

I am surprised it took so long for us to see some scans for these well known credentials. For example:

/cgi-bin/sms_send?username=user1&password=user_pass&number=00966549306573&text=test

This request will send an SMS "test" to 00966549306573, a number in Saudi Arabia. Oddly enough, I ever so often see Saudi Arabian numbers used in SMS related scans.

Here are a few other passwords I have seen, all for the user "user1":

1234
admin
p8xr6tINNA0eGBIY
root
rut9xx
teltonika
test
user1

The long "random" password is interesting. It was used several times, and I am not sure if that is some kind of "support" backdoor. The "rut9xx" password makes sense as the model numbers for the industrial Teltonika gateways start with "RUT", like RUT140, RUT901, RUT906..., 

Numbers I have seen as a recipient:

00966549306573 (Saudi Arabia)
0032493855785& (Belgium)

As usual, change default passwords, particularly for more professional equipment like this: Throw it back at the vendor (HARD!) if it comes with a default password.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: sms teltonika
0 comment(s)
My next class:

Comments

Login here to join the discussion.


Top of page
Diary Archives