Akamai: 12-Year-Old SSH Vulnerability Fueling Internet-Of-Broken-Things DDoS Attacks, And Worse
from the security-as-a-distant-afterthought dept
We’ve increasingly covered how the “internet of poorly secured things” has contributed to a rise in larger DDoS attacks than ever before. The barely-there security standards implemented by companies more interested in hype than quality meant it didn’t take long before hackers were able to incorporate “smart” refrigerators, power outlets, TVs and other IoT devices in the kind of DDoS attacks that recently took down security researchers like Brian Krebs. The end result is DDoS attacks that continue to break records, first 620Gbps in the Krebs attack, then more recently a 1.1 terabits per second attack on a French web host.
But just how bad have things become? A new report by Akamai warns that hackers are using a 12-year-old vulnerability in OpenSSH to funnel malicious network traffic through IoT devices. SSH certainly can be implemented securely, but as with every other security aspect of the IoT, many hardware vendors aren’t bothering to do so. Akamai’s data indicates roughly 2 million devices have been compromised by this type of hack, which the firm dubs SSHowDowN.
CVE-2004-1653 is a default configuration in old versions of OpenSSH that can be exploited by an attacker to forward ports, letting a hacker route malicious traffic through the device as part of the overall DDoS command and control infrastructure. To pull this off you need the device’s admin username and password; certainly not a problem in the IoT space where default logins are often the norm. Akamai notes that many IoT devices not only ship with this vulnerability intact, but with no ability to fix it:
“We?re entering a very interesting time when it comes to DDoS and other web attacks; ?The Internet of Unpatchable Things? so to speak,? explained Ory Segal, senior director, Threat Research, Akamai. ?New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We?ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”
Of course the internet-of-poorly-secured things isn’t just useful for DDoS attacks. Brian Krebs has penned a new blog post noting how criminals are often using hacked IoT hardware as proxies to obscure their real location as they engage in tax return fraud and other criminal activity, courtesy of your not-so-smart WiFi-enabled tea kettle or home-automation system. An anonymous researcher tells Krebs he was able to track the various “honeypot” systems he configured as they were traded and sold as malware-infested proxies in exchange for bitcoin.
In short, flimsy Internet of Things security, combined with already often-dubious embedded security in routers, is kind of a throwback to the wild west of the 1990s when the idea of your mom’s PC as a botnet participant was kind of novel. Krebs’ source puts it this way:
“In a way, this feels like 1995-2000 with computers,” my source told me. “Devices were getting online, antivirus wasn?t as prevalent, and people didn?t know an average person?s computer could be enslaved to do something else. The difference now is, the number of vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom software. Plus, what one person does can be easily shared to a small group or to the whole world.”
And again, while the abysmal state of IoT security can often be funny, firms like Gartner predict that the population of Internet of Things devices will top 20.8 billion by 2020, up from 6.4 billion or so today. Researchers like Bruce Schneier have been warning for some time that the check is about to come due in the form of attacks that may put human lives at risk at an unprecedented scale, lighting a fire under researchers who believe that automated cyberdefense and self-healing network technologies we haven’t invented yet are what stand between us and the not-so-smart device cyber apocalypse.
Comments on “Akamai: 12-Year-Old SSH Vulnerability Fueling Internet-Of-Broken-Things DDoS Attacks, And Worse”
Configure to prevent exploitation at the source
IoT devices should by default live on a separate subnet within the home network, ideally on a separate port on the router from the rest of the home LAN (VLAN tagging makes this easy, it’s already used to isolate the WAN port from the LAN ports and WiFi network). WiFi devices should work on a separate WiFi network (the same way guest networks work). Restrict the IoT network so it doesn’t have access to the Internet and in large part you cut off the ability to exploit IoT devices even if they’re vulnerable.
Re: Configure to prevent exploitation at the source
While I agree with you, most of the design of the control software on these devices doesn’t even assume that a home network would have more than 1 broadcast domain or subnet. This leads to apps not being able to connect from wireless if the IoT thing is on another subnet/etc.
It causes some issues from time to time, especially when they auto-discover their counterparts or control devices on one subnet and don’t think there might be another locally. I recently had an issue with chromecast like this: It was joined to the 2.4gHz wireless, which was technically being used as a sort of “device wifi” and my phone on the 5gHz wireless (on another subnet/vlan) wouldn’t allow me to enter an IP – it just kept trying to search the one vlan/subnet.
That was before they released chromecasts with 5gHz support, so maybe they fixed this, but things like these non-considerations for more complicated home networks turn me off to most IoT devices. That and I trust the security in them so little I doubt I would let the vlan they are on out to the internet, which probably breaks most of them.
tl/dr: agreed, but that breaks a lot of the functionality of these things.
Re: Configure to prevent exploitation at the source
So you want to take the I out of IoT? works great for all of your LoT (LAN of things) devices you have in your home while you are at your home. But what about that device you want to control remotely from your phone? At the point you want to turn off a light while not connected directly to your network you will need to put the I back in IoT.
Re: Configure to prevent exploitation at the source
You guys keep making it sound like these are home automation products in western countries. Apparently they are old routers and security cameras in predominantly third world countries that are the issue. There were no tea kettles involved.
While this is a problem your coverage is portraying it falsely.
Re: Re:
“New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it.”
ever single person should read this
who even spends time on the intertubes or interacts with computers at all
http://www.stilldrinking.org/programming-sucks
anybody stupid enough to buy smart devices and appliances deserves what happens to them.
the shame here is unrelated people being harmed.
Random Default Passwords
The worst part is most of the problem isn’t even unpatched security vulnerabilities, it’s default passwords.
Many router manufacturers have at least gotten the message and burn a random default password into the rom. It goes on a sticker right next to the serial number.
Sure, there are plenty of other vulnerabilities in these devices that will never be patched, but using a random password should cut out most of the malicious activity we see today.
Liability
If you leave a loaded gun on a playground you’ll be held criminally liable when someone gets hurt. Why should these device manufacturers be treated any different?
Re: Liability
because they didn’t leave it in the playground you did
Re: Re: Liability
They forgot to install the safety
Re: Liability
Your conclusion doesn’t follow. Leaving a loaded gun on a playground isn’t the fault of the manufacturer, and indeed, in most if not all such cases of firearm misuse by the end user, the manufacturer is legally not liable (see 15 USC §§ 7901-7903).
Likewise, if we follow your initial premise, getting your IoT device hacked because you were too stupid to change the default password or take other protective measures to prevent unauthorized access is not the fault of the manufacturer, particularly if as part of the setup instructions for the device, the manufacturer recommended changing the password or taking other protective measures.
To make this work, you’d have to prove malicious intent or neglect on the part of the manufacturer, who in most cases could probably point to their operating instructions and shrug such charges off.
Why are all these devices directly on Internet?
No firewalls? No routers?
You’d think everyone is putting the spare key under the doormat.
Re: Why are all these devices directly on Internet?
Because it’s cheaper.
Here’s what the camera makers are doing at least:
Now you can easily check your cheap WiFi camera from the smartphone app anywhere. All you need to do is run the app once while connected to the local network.
The alternative is persistent connections and the vendor having to gasp actually maintain some infrastructure.
Re: Why are all these devices directly on Internet?
Some of these devices are routers.
It’s bullshit to call this an SSH vulnerability. Perhaps enabling forwarding was an unwise default, but only authenticated users can use it. If SSH forwarding were disabled, the attackers could probably still log in as admin and enable SSH or other forwarding.
The default password is the problem. SSH shouldn’t be enabled until the owner sets a password. Or maybe for a minute or two after a button is pressed, so they can set the password in the first place.
I'm confused
From what I’ve read on Krebs and here amongst other places, most of the attacks on the common devices (Cameras, media players, other similiar devices) require the attacker to be able to hit the SSH port of the device.
Surely ANY NATting router/firewall would block these attacks stone cold. If you can’t probe the ports of the deivce, or hit it directly because it’s behind a NAT, how does an attacker even know there’s a device there to attack?
And if you DO want to access the camera (for example) from the Internet, surely this requires doing a port forward of the streaming port on the NAT? E.g. if it’s HTTP-based, you’d forward some random (but known to you) port on the router to the camera’s (non-routable)IP:80? Since it’s not the SSH port, the SSH attack can’t be used.
Re: I'm confused
See my previous comment.
These devices are meant to be used by smartphones away from home, but the manufacturers don’t want to pay for infrastructure. Home routers have a feature, called UPNP, to allow devices to punch through the Network Address Translation (NAT) layer and become accessible to the public internet. These devices use that feature.
Turning off UPNP will not protect you if someone is close to your house in person, but will prevent the attacks talked about in the article.
Re: Re: I'm confused
This is why I always turn off uPNP on my router by default.
Such a massive security risk.
Re: I'm confused
NAT and firewalling are completely orthogonal concepts that have nothing to do with each other. …
The IOT industry is afraid. I have seen its true face.
The accumulated filth of all their greed and arrogance will foam up about their waists and all the heedless early-adopters and parsimonious developers will look up and shout Save us!… and I’ll whisper no.
I assume ISPs will end up being forced to implement filters to outbound traffic to block such attacks. Of course given the implementation of other security and infra-structure improvements we’ll have to wait for some serious financial damage before they actually do it.
Re: Re:
At the rate backbone bandwidth is increasing, they will need to filter the data at the customer’s connection. This means increased costs for modems and ONTs that support filtering.
We’re fast approaching a physics limit that we have to choose between moving the data faster or processing the data. Of course everyone wants to move more data. This is why people are talking about high speed photonic processing of route packets. This is very simple processing not capable of much more than route tables. Any filtering you try to place after will be like drinking from a firehose. Not even dedicated ASICs will be able to keep up.
Re: Re: Re:
True enough. Still, an ISP can detect a large amount of traffic being directed at unusual targets. It’s expected to have huge traffic towards Youtube but towards Krebs? You don’t have to filter individual traffic as far as I can see. And once you identify these unusual traffic spikes you can identify who generated it and proceed to tackle the individual user issues (ie: get in touch and warn the user that the system detected malware traffic from their end). Users are generally not tech savvy so a little help won’t hurt and it may help save resources for the ISP.
Krebs is doing his job identifying both networks and devices that are more compromised. There’s a Chinese network that is almost fully compromised. It’s safe to say that blocking it all will help mitigate the problem for instance.
Re: Re:
Or wait for a hacker to cause devastation through an IoT enabled car :/
IdiOT
I think you folks are having brain farts. Blaming it only on the refer, oven and poor routers. You forgot about the thermostat for your heating and redicously needs to be connected now light bulb. I still ask the question, at work, why the light bulb gets priority over my connection to Facebook? Or why does the refer get priority over the bosses connection to porn?
Without forwarding the port?
Even if the password is default, and even if the device has access to WAN, don’t you have to create the rule on the router forwarding incoming traffic on this specific port to the device?
In fact, many SSH protocols on the market use outdated and old ciphers, making SSH obsolete and vulnerable, which is the same as easily hacked SSH. I purchased SSH client for android here https://www.georgiasoftworks.com/connectbot-client-android, first making sure that they use the current encryption. GSW ConnectBot offers the most reliable encryption available on the commercial market! it adapts to your company, easily changes settings, and generally with a wide range of hosts.