From what I saw while poking around the system, it looks like telnet is just a leftover from development that should have been removed. If it really were malicious, I would expect it to be more well hidden.
We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.