Akamai Warns of Account Takeovers Staged from Cameras, RoutersIoT Hackers Scoring Hits Using a 12-Year-Old OpenSSH Vulnerability
A long-known weakness in an authentication protocol shipped in millions of routers, surveillance devices and satellite antennas is being used in attempts to compromise accounts at popular web services, according to new research from Akamai.
The research findings add to concerns that hackers increasingly are using internet of things devices to stage attacks, a situation that experts say could be difficult or in some cases impossible to fix (see How an IT Pro Kicked Hackers Off Surveillance Cameras).
Akamai, which offers content delivery network services, says the equipment is being used as relays for "credential stuffing" attacks, where breached logins and passwords are used in an attempt to take over accounts. The IoT devices effectively act as proxies, masking the IP addresses from where the attacks actually originate.
The networking vendor cautioned that the technique is not a new vulnerability or attack, but that it has seen a dramatic rise in strikes against its customers.
"While this has been reported before, the vulnerability has resurfaced with the increase of connected devices," Akamai says in a 10-page technical report. "Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation."
Although experts have warned that the increasing connectivity incorporated into devices will pose new security risks, the last couple of months have proved their predictions true. IoT devices are often poorly secured, ship with default login credentials and are never updated by manufacturers, making them more attractive targets than PCs, which are generally more secure.
In mid-September, devastating distributed denial-of-service attacks were launched that marshaled insecure devices. DDoS attacks flood online services with garbage data traffic, consuming resources and bandwidth with the goal of shutting services down (see Hacked IoT Devices Unleash Record DDoS Mayhem).
The situation described by Akamai doesn't involve DDoS attacks. The company began investigating a network video recorder that was sending suspicious traffic to its customers.
The device shipped with default passwords, which made it easy for attackers to take it over. Although users are encouraged to change default passwords, they're often left in place for as long as the devices lives.
Many IoT devices ship with OpenSSH, known as Secure Shell, which is a protocol that allows remote login. This particular DVR wouldn't allow someone to gain access to SSH using the default credentials. But the SSH configuration does allow someone to use the device as a proxy and forward their attack traffic through the IoT device to another service.
This authentication bypass vulnerability, which can allow for what's called "port bouncing attack," has been known for at least 12 years. Although some devices can be fixed to eliminate the vulnerability, other IoT devices can't be fixed, writes Eric Kobrin, who is director of adversarial resistance at Akamai. The company nicknamed the attack SSHowDowN.
Some of the attack traffic came from routers made by Ruckus Wireless, which is now owned by Brocade Communications Systems. Ruckus issued an advisory and a patch in 2013.
"It was discovered that a malicious user could abuse the TCP tunneling feature of the SSH daemon on Ruckus devices to proxy random TCP streams," the advisory reads. "The user does not have to be authenticated to the Ruckus device for requesting and establishing such a tunnel. Once a tunnel is established, the user's TCP stream would be carried over SSH to the Ruckus device, which would forward the traffic to an IP and port of the user's choosing."
Akamai says it has seen attack traffic coming from CCTV cameras, NVRs, digital video recorders, routers, ASDL modems and network attached storage devices.
IoT Security Standards
Compromising IoT devices offers a layer of security for hackers. The services experiencing the attack see the IP address of the hacked device in their logs. The owner of the IoT unit invariably has no idea about the abuse.
ISPs can also detect attack traffic and alert customers whom they think may have an infected device on their network. But IoT devices, particularly older ones, may no longer be supported by manufacturers and receive no security updates. Users plug in the devices, and as long as they're functioning, forget them.
Efforts are underway to ensure that future generations of devices can't be compromised so easily. The Open Connectivity Foundation has developed a security framework that is designed to allow IoT devices to communicate securely. The group is aiming to develop standards as well as a certification program that can be used across the industry.
And there is a sense of urgency: Gartner predicts that by 2020, some 20.8 billion IoT devices will be in use, up from about 6.4 billion this year, adding to a massive pool of already insecure devices - which could cause headaches for years to come.