News that a 12-year-old vulnerability in OpenSSH has led to numerous targeted attacks has shaken the world of IoT, again revealing just how unreliable the devices are.
Following the massive DDoS attack launched on KrebsOnSecurity by a giant IoT botnet, Akamai Technologies researched the problem and established that criminals use misconfigured IoT devices and a vulnerability called SSHowDowN Proxy to launch attacks from remote locations. Smart devices such as CCTV, routers, satellite antenna equipment and external storage products have been linked to SSHowDowN Proxy mass-scale attacks.
After analyzing multiple devices, the research team discovered that attackers exploited weaknesses in their operating systems to use them as proxies to direct malicious traffic to victim sites.
“Once an IoT device allows a remote user to form an SSH tunnel, and to use it as a SOCKS proxy, the attacker is not limited to only mounting attacks against Internet-facing servers, but also as a ‘beachhead’ to launch attacks against the internal network hosting the Internet-connected device,” researchers say.
Both end-users and manufacturers can take immediate measures to prevent future attacks. Private users should change factory-default login credentials of all devices connected to the Internet (for example, the common default setting “admin” and “admin”), disable SSH, unless required to run, implement inbound and outbound firewall rules for IoT devices, while vendors should implement better security and disable SSH.
“We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” explained Ory Segal, senior director, Threat Research, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”