It’s well known that the Internet of Things is woefully insecure, but the most shameful and frustrating part is that some of the vulnerabilities that are currently being exploited could have been eradicated years ago. Now evidence of how these bugs are being used in attacks is calling attention to security holes that are long overdue to be plugged.
New research released this week from the content delivery network Akamai takes a closer look at how hackers are abusing weaknesses in a cryptographic protocol to commandeer millions of ordinary connected devices—routers, cable modems, satellite TV equipment, and DVRs—and then coordinate them to mount attacks. After analyzing IP address data from its Cloud Security Intelligence platform, Akamai estimates that more than 2 million devices have been compromised by this type of hack, which it calls SSHowDowN. The company also says that at least 11 of its customers—in industries like financial services, retail, hospitality, and gaming—have been targets of this attack.
The exploited protocol, called Secure Shell (SSH), is commonly used to facilitate remote system access and can be implemented robustly. But many IoT manufacturers either don’t incorporate it or are oblivious to the best practices for SSH when setting up default configurations on their devices. As makers scramble to bring their products to market, these oversights sow widespread insecurity in the foundation of the Internet of Things.
“This is something we’ve known about for a dozen years,” says Martin McKeay, a security advocate at Akamai. “This is a vulnerability that we’ve seen before. It should not be happening. But we’re going to be seeing this more and more as everything gets an IP address and has an administrative interface. These products have to be thought through and protected before they get into the home.”
Akamai says it is working with device vendors to improve their SSH implementation and cites the network video recorder maker NUUO, the satellite antenna maker Intellian, the WiMax router maker Green Packet, the hotspot maker Ruckus, and the network-attached storage device maker Synology as companies that sell one or more products in which it detected SSH flaws. Ruckus published a security advisory in 2013 about the potential to use SSH for “unauthenticated TCP tunneling.” Sudhakar Padala, Ruckus’ senior principal security architect, stated in an email to WIRED that the Akamai warning seems to match the vulnerability Ruckus had “immediately corrected” in 2013. He added, “Akamai did not alert us to this new report. We take all security vulnerabilities extremely seriously.” In its report, Akamai cites Ruckus’s 2013 advisory but adds, “This was one of the affected device types discovered during our research.”
The network-attached storage device maker Synology stated in an email that it is aware of weaknesses in SSH, and the protocol has always been disabled by default in its products.* As of April, the company also added a software feature that forces people to create custom administrator accounts with a minimum six-character password when they set up Synology devices. As a result of Akamai’s research, Synology writes, “Now we think the 6-character minimum requirement might not be enough and are planning to enforce a stronger password policy for the administrator account.” The company says that it issues frequent security patches but knows that these are only effective if its customers ensure that their devices are running the most up to date software. Intellian declined to comment. The other companies could not yet be reached for comment.
The Akamai researchers found that hackers have been able to establish unauthorized SSH connections, called “tunnels,” with IoT devices to then route malicious traffic as part of command and control infrastructure. Akamai observed this strategy being used for attacks like credential stuffing, in which attackers set up an automated system for trying to get into customer accounts on a site using credential pairs leaked in previous data breaches.
In one example, Akamai observed hackers using an account called “admin” to authorize an SSH tunnel to a network video recorder. They then used this access to generate and send malicious traffic from the video recorder. Some quick research revealed that the factory-default password for this administrator account was listed publicly as “admin.” From there the hackers were able to access other server communication tools, like the Transmission Control Protocol, and with relatively little effort access and direct the device. Additionally, from a hacker’s perspective, the approach has the added benefit of masking the true source of an attack, since the malicious traffic emanates from the network, and therefore IP address, of the hijacked IoT device.
Akamai has recommendations for manufacturers, like building in prompts for customers to change default administrator credentials, disabling SSH on devices unless it’s specifically needed, and creating ways for devices to easily receive configuration updates. For customers, the company advises changing factory default usernames and passwords when possible, disabling SSH traffic on home networks, and creating firewall restrictions on inbound and outbound SSH access if applicable. But one major concern is that, unlike having your Facebook account hacked, the average person will likely never realize that their IoT devices have been compromised in this way even if it happens to them. “It’s not something most people are actually going to notice,” McKeay says. “But it does mean that your network is going to be part of a chain of control.”
Concern about Internet of Things insecurities has grown as more attackers use the type of approach Akamai describes. Most recently, an army of centrally controlled IoT devices launched a massive distributed denial-of-service (DDoS) attack against the website of security reporter Brian Krebs. The attack created its botnet using malware called Mirai, which has since been publicly released, increasing the danger of future Mirai attacks.
In the case of the SSH hacks, Akamai emphasizes that nothing about the SSH vulnerabilities is really new and it’s true that these types of problems have been long foreseen. For example, a 2003 evaluation of SSH by the security firm SANS Institute noted, “The unfortunate reality is that SSH is not a ‘silver bullet’ capable of removing all dangers. Known exploits of SSH exist that can be used as attack vectors against a network.” But these and similar warnings were directed at more traditional computer networks during the early 2000s. The idea that IoT devices need to be protected with the same rigor is still developing, but for victims of IoT botnets it’s coming too slowly. “Embedded devices still tend to run old software stacks that have not been vetted and that either don’t implement security at all, don’t implement it properly, or might implement security but leave default passwords on there,” says Balint Seeber, the director of vulnerability research at the Internet of Things security company Bastille. “Both customers and companies are slowly waking up, and that’s great, but it’s just such a broad domain.”
Even if it’s a rude awakening, IoT devices now number in the tens of billions, and it’s time to protect them.