For at least the past year there have been repeated warning to makers of Internet-connected devices about the insecurity of their platforms. Another came today in a report from Akamai Technologies’ threat research team, which has delved into a recent burst of distributed attacks leveraging IoT devices.
In this case they are SSHowDowN Proxy attacks using a 12-year old vulnerability in OpenSSH.
“We’re entering a very interesting time when it comes to DDoS and other web attacks — ‘The Internet of Unpatchable Things’ so to speak,” Eric Kobrin, Akamai’s director of information security, said in a statement. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”
Akamai emphasizes this isn’t a new vulnerability or attack technique. But it does show a continued weakness in many default configurations of Internet-connected devices.
These particular attacks have leveraged video surveillance cameras and digital recorders, satellite antenna equipment, networking devices (including routers, switches, Wi-Fi hotspots and modems) and Internet-connected network attached storage. They are being used to mount attacks on any Internet targets as well as internal networks that host connected devices.
Unauthorized SSH tunnels were created and used, despite the fact that the IoT devices were supposedly hardened and do not allow the default web interface user to SSH into the device and execute commands, Akamai said. Then attackers used to conduct a mass-scale HTTP-based credential stuffing campaigns against Akamai customers.
It offers this mitigation advice to infosec pros:
–if possible configure the SSH passwords or keys on devices and change those to passwords or keys that are different from the vendor defaults;
–configure the device’s SSH service on your device and either add “AllowTcpForwarding No” and “no-port-forwarding” and “no-X11-forwarding” to the ~/ssh/authorized_ keys file for all users, or disable SSH entirely via the device’s administration console;
–if the device is behind a firewall, consider disabling inbound connections from outside the network to port 22 of any deployed IoT devices, or disabling outbound connections from IoT devices except to the minimal set of ports and IP addresses required for their operation.
It also urges device vendors to
–avoid shipping Internet-connected devices with undocumented accounts;
–disable SSH on devices unless absolutely required for normal operations;
–force users to change factory default account credentials after initial installation;
–configure SSH to disallow TCP Forwarding;
–and to provide a secure process for end-users to update SSHD configuration