12-year-old SSH vulnerability in IoT devices being abused

DDoS attacks will never be the same again.

There is a 12 years old vulnerability in OpenSSH, which hackers are now using to attack Internet of Things (IoT) devices and remotely generate traffic, according to new research. Akamai Technologies' researchers Ory Segal and Ezra Caltum have identified the old vulnerability and have dubbed it SSHowDowN Proxy. They say hackers are using it to target CCTV, NVR, and DVR devices, satellite antenna equipment, networking devices such as routers or hotspots, and internet-connected NAS devices. 

These devices are being used to mount attacks against 'a multitude of Internet targets and Internet-facing services, such as HTTP, SMTP and Network Scanning', researchers say. It is also used to mount attacks against internal networks that host these connected devices. Hackers are even capable of completely taking over compromised machines and tamper with their data. 

“We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” explained Ory Segal, senior director, Threat Research, Akamai.  

“New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”  

The best way to mitigate these threats is to change all the default settings on these IoT devices, as soon as you get them, the researchers say. Also, if the device offers direct file system access, do this: 

Add "AllowTcpForwarding No" into the global sshd_config file.
Add "no-port-forwarding" and "no-X11-forwarding" to the ~/ssh/authorized_ keys file for all users. 

If these options are unavailable, or if SSH access isn't required for the device to operate normally, SSH should be completely disabled via the device's admin console. If you have a firewall, do this: 

Disable inbound connections from outside the network to port 22 of any deployed IoT devices
Disable outbound connections from IoT devices except to the minimal set of ports and IP addresses required for their operation.  

Edit: After the article was published, the inventor of the SSH protocol, Tatu Ylönen, commented on Akamai's findings:

“As Akamai points out in their ‘SSH Key Advisory’ IoT devices add yet another layer of vulnerability due to targeted attacks compounding the security risks for enterprises, as the devices they have deployed throughout their enterprise can be exploited due to default configurations.    

“Examining the issue further, this attack is dangerous in multiple ways. First, it allows attackers to hide their tracks by bounding their attacks through any number of IoT devices having this vulnerability. Second, if the device is accessible from the Internet, for example to allow the vendor to maintain and update it, it can be used to tunnel connections from the Internet into the Intranet, basically breaching the firewall.    

“This can be further combined with other attacks, such as password brute-forcing or SSH key based attacks to penetrate systems inside a corporate network. This is exactly the kind of scenario I’ve written about it here.    

“I strongly urge enterprises to deploy systems to control and prevent SSH tunneling at their firewall and get visibility into vendor access. Furthermore, I strongly recommend against deploying any devices that do not have shared or hard-coded SSH keys, as they suspect the device to man-in-the-middle attacks and possible mass penetration using default SSH keys or default passwords.”   

"Given this information, the urgency and need to get the proper controls in place to effectively manage SSH keys, as well as monitor and control encrypted traffic, must be a top priority for IT departments who are responsible for safeguarding and protecting their company’s digital infrastructure.”   

Image Credit: Chesky / Shutterstock