Akamai researchers say attackers are using an old OpenSSH vulnerability to target IoT devices and launch attacks.
While the Internet of Things is touted for facilitating all sorts of life-changing services, there's been an undercurrent of anxiety among the more security conscious IT pros. Their concern: All those smart devices, oftentimes built with default passwords and otherwise poor protection, could put networks and users at risk. Now it's clear those fears were warranted.
Recent events have put the spotlight on IoT security – or to be more precise, IoT insecurity. Malware has surfaced that allows attackers to create botnets from vulnerable IoT devices and launch distributed denial-of-service attacks. For example, Mirai was used in last month's high-profile DDoS attack on the KrebsOnSecurity website.
In September, Symantec reported that cybercriminals are taking advantage of poor IoT security to hijack home networks and consumer devices and carry out DDoS attacks, most often against large companies.
"Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected," Symantec researchers wrote in a blog post. "Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords.
On Wednesday, Akamai said its researchers tracked a recent spate of attacks in which criminals are using vulnerable IoT devices as proxies to route malicious traffic. Attackers are exploiting a 12-year-old vulnerability in OpenSSH -- an encryption tool use for remote login – in IoT devices to remotely generate attack traffic, according to Akamai.
"We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of Internet-connected devices," wrote Ezra Caltum, Akamai senior security research team leader and Ory Segal, Akamai senior director of threat research.
They reported seeing SSHowDowN proxy attacks from video surveillance devices, satellite antenna equipment, networking devices such as routers and cable modems, and Internet-connected network-attached storage devices. Cybercriminals are using the compromised devices to launch attacks against internet-facing services such as HTTP and SMTP as well as internal networks hosting the IoT devices.
"We’re entering a very interesting time when it comes to DDoS and other web attacks; 'The Internet of Unpatchable Things' so to speak,” Eric Kobrin, director of information security at Akamai, said in a prepared statement. "New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
Akamai offered several mitigation measures, including changing the SSH password or keys on the device so they're different than the vendor defaults, although the company noted that often isn't possible with most IoT devices. Disabling SSH entirely via the device's administration console is another option, according to Akamai. If the device is behind a firewall, companies can consider restricting outbound connections from IoT devices to the minimal set of ports and IP addresses required for their operation.
In an effort to nip additional IoT security problems in the bud, the Cloud Security Alliance last week issued guidance for secure IoT product development. The report, "Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products," is designed to help developers of IoT products and services understand basic secure measures.