A 12-Year-Old SSH bug exposes more than 2 Million IoT Devices

0

IoT devices are a privileged target for hackers, design flaws and wrong configurations open to the attackers. Recently we read about massive DDoS attacks powered by huge botnets powered by hundreds of thousand compromised devices.

The number of potentially exposed IoT devices is growing day by day, security experts from Flashpoint firm have recently discovered more than 500,000 vulnerable IoT devices that could be potentially recruited in the Mirai botnet.

A new research published by Akamai Technologies states that threat actors in the wild are exploiting a 12-year-old vulnerability in OpenSSH, tracked as CVE-2004-1653, to hack into millions of IoT devices.

“While this has been reported before, the vulnerability has resurfaced with the increase of connected devices. Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation. We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of Internet-connected devices, which is actively being exploited in mass scale attack campaigns against Akamai customers.” states the report published by Akamai Technologies.

The new attack was dubbed by the experts SSHowDowN Proxy because attackers are able to use the compromised IoT devices as proxies for malicious traffic. The SSHowDowN Proxy attack exploits the CVE-2004-1653 flaw to enable TCP forwarding and port bounces when a proxy is in use.

Akamai confirmed that at least 11 of its customers in various industries, including financial services, hospitality, retail, and gaming have been hit with of SSHowDowN Proxy attacks.

“Given credentials for a user account, often unchanged or unchangeable in IoT deployments, an attacker can use the-D or -L flags to ssh in order to turn the victim machine into a proxy (see diagram below) The -N flag can be added to prevent launching one of the disabled shells.”

1

The recent SSHowDowN Proxy attacks leverage on a wide range of connected devices, including:

  • CCTV, NVR, DVR devices (video surveillance).
  • Satellite antenna equipment.
  • Networking devices (e.g. Routers, Hotspots, WiMax, Cable and ADSL modems, etc.).
  • Internet-connected NAS devices (Network Attached Storage).

Akamai estimates that over 2 Million IoT devices and networking systems have been already compromised by SSHowDowN type attacks.

Unfortunately, the vast majority of devices is exposed due to lax credential security, it is quite common to find smart objects configured with vendor default passwords or keys. Another shocking error is that some vendors still implement default and hard-coded credentials.

The attacker used the password to remotely access the IoT devices and take full control over the system.

“New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.” explained Eric Kobrin, senior director of the Akamai Threat Research team.

The first suggestion to mitigate the threat is to change the factory default credentials of your IoT device and disable, if possible, SSH services they expose.

Another defense measure could be the adoption of firewall that uses specific rules to manage SSH accesses to the devices.

Vendors of smart objects are recommended to:

  • Avoid shipping such products with undocumented accounts.
  • Force their customers to change the factory default credentials after device installation.
  • Restrict TCP forwarding.
  • Allow users to update the SSH configuration to mitigate such flaws.

There is no time to waste, it is crucial to adopt a security by design approach to protect billion of connected devices that are already surrounding us!