A vulnerability which has existed for over a decade in OpenSSH has led to today’s IoT devices being used in targeted attacks.
In what researchers call the “Internet of Unpatchable Things,” a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.
The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.
There is another edge to this sword — by connecting such vulnerable devices to the web, attackers can harness these products to create armies of traffic-generating systems which can be used to overload legitimate services.
Last month, a 620 Gbps distributed denial-of-service (DDoS) attack disrupted the Krebs on Security blog, for example, and this was made possible through the enslavement of vulnerable IoT products.
On Wednesday, cloud service provider Akamai Technologies released a report into rising IoT-based attacks which documented the discovery of cyberattackers utilizing a 12-year-old vulnerability in OpenSSH to remotely generate vast amounts of traffic in a recent spate of SSHowDowN Proxy attacks.
The security flaw being exploited to create IoT slave networks, CVE 2004-1653, relates to OpenSSH default configurations which enables TCP forwarding and port bounces when a proxy is in use.
While the vulnerability itself is nothing new, the research team found that the continual failure of IoT device vendors to secure IoT and implementing default and hard-coded credentials is throwing the door wide open for attackers to exploit them.
Akamai says that SSHowDowN Proxy large-scale attacks are being made possible through millions of vulnerable devices, including CCTV, satellite antenna equipment, routers, and external storage products.
Lax credential security has paved the way for attackers to access web admin consoles of vulnerable devices, create SSH tunnels and launch attacks only against internal networks which host IoT devices, but also “any kind of Internet target and against any kind of Internet-facing service such as HTTP, SMTP and network scanning,” according to the team.
These include DDoS attacks, unauthorized access attacks and attempts to compromise configuration setups on proxies themselves and servers.
“We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” says Eric Kobrin, director of Information Security at Akamai.
“New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it,” Kobrin added. “We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”
If you own IoT devices, you can make a difference not only to these large-scale attacks but your own protection if you change any factory and default credentials as soon as you activate your products, and for the more technically-minded, establishing inbound firewall rules which prevent SSH access from external forces will also improve security.
However, the problem many consumers and security professionals face is that not every vendor allows these modifications — and they, in turn, should do their part by allowing default credentials to be changed — and perhaps enforce these changes at setup.