A 12-year-old vulnerability in the OpenSSH security utilities suite is letting hackers launch massive distributed denial of service (DDoS) attacks using Internet of Things devices, according to new research.
The vulnerability has essentially enabled the “Internet of Unpatchable Things,” as there is no effective way to fix the problem in many devices, said Ory Segal, senior director of threat research at Akamai Technologies.
Last month, IoT devices were linked to a DDoS attack on the KrebsOnSecurity.com Web site that writer Brian Krebs called “among the biggest assaults the Internet has ever witnessed.” According to data from Arbor Networks, DDoS attacks are growing in size and frequency. By the end of 2016, the average attack is expected to be “large enough to knock most businesses offline,” according to Arbor Networks.
CCTV Devices, Modems, Routers at Risk
“After analyzing large data sets from Akamai’s Cloud Security Intelligence platform, we discovered several common features, which led us to believe that the IoT devices were being used as proxies to route malicious traffic against victim sites,” Akamai researchers Segal and Ezra Caltum wrote in their new report.
On further investigation, Segal and Caltum identified what they called “SSHowDowN Proxy” attacks that use an OpenSSH vulnerability to access the Web administration consoles of IoT devices to compromise data on those devices or, in some cases, take them over completely.
Among the devices likely to have that vulnerability are CCTV (closed circuit television) cameras and other devices for video surveillance, satellite antenna equipment, networking devices such as modems and routers, and Internet-connected network-attached storage devices.
Segal and Caltum are recommending that users of such devices try to protect themselves by always changing the factory default credentials for any Internet-connected devices they own. They said users should also completely disable the SSH service on every such device unless it’s needed for normal operations. If devices need SSH to function properly, users should change the sshcd_config to “AllowTcpForwarding No.”
‘Mirai’ Malware Release Could Fuel More Attacks
IoT device-related security problems are likely to increase with the recent public release of the “Mirai” malware, which powers the botnet that can be used to launch DDoS attacks through such devices, Krebs noted recently.
The malware works by “continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords,” Krebs said. The source code for Mirai shows the botnet can work with well over 68 IoT devices and perhaps many more, he added.
Vendors can help reduce the vulnerability of their devices by requiring users to change the factory default credentials after installation, disabling SSH unless necessary and providing a “secure process for end-users to update sshd configuration so that they may mitigate future vulnerabilities without having to wait for a firmware patch,” according to the Akamai report.
Some companies, such as Panasonic and Samsung, are now requiring each user to choose a unique password for devices like Internet-connected video cameras. However, even such precautions “may or may not address the fundamental threat,” Krebs said.
Part of the problem is that IoT devices typically cost much less than the average computers or smartphones, which means that manufacturers are selling them at relatively small profit margins, cybersecurity expert Bruce Schneier noted in a blog post Monday. As a result, IoT device makers often have little incentive to incorporate strong security or regularly update security protocols, he said.
“Even though the source code to the botnet that attacked Krebs has been made public, we can’t update the affected devices,” Schneier said. “Microsoft delivers security patches to your computer once a month. Apple does it just as regularly, but not on a fixed schedule. But the only way for you to update the firmware in your home router is to throw it away and buy a new one.”