(Mis)Uses of Technology

by Karl Bode


Filed Under:
ddos, iot, security, ssh

Companies:
akamai



Akamai: 12-Year-Old SSH Vulnerability Fueling Internet-Of-Broken-Things DDoS Attacks, And Worse

from the security-as-a-distant-afterthought dept

We've increasingly covered how the "internet of poorly secured things" has contributed to a rise in larger DDoS attacks than ever before. The barely-there security standards implemented by companies more interested in hype than quality meant it didn't take long before hackers were able to incorporate "smart" refrigerators, power outlets, TVs and other IoT devices in the kind of DDoS attacks that recently took down security researchers like Brian Krebs. The end result is DDoS attacks that continue to break records, first 620Gbps in the Krebs attack, then more recently a 1.1 terabits per second attack on a French web host.

But just how bad have things become? A new report by Akamai warns that hackers are using a 12-year-old vulnerability in OpenSSH to funnel malicious network traffic through IoT devices. SSH certainly can be implemented securely, but as with every other security aspect of the IoT, many hardware vendors aren't bothering to do so. Akamai's data indicates roughly 2 million devices have been compromised by this type of hack, which the firm dubs SSHowDowN.

CVE-2004-1653 is a default configuration in old versions of OpenSSH that can be exploited by an attacker to forward ports, letting a hacker route malicious traffic through the device as part of the overall DDoS command and control infrastructure. To pull this off you need the device's admin username and password; certainly not a problem in the IoT space where default logins are often the norm. Akamai notes that many IoT devices not only ship with this vulnerability intact, but with no ability to fix it:
"We’re entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” explained Ory Segal, senior director, Threat Research, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
Of course the internet-of-poorly-secured things isn't just useful for DDoS attacks. Brian Krebs has penned a new blog post noting how criminals are often using hacked IoT hardware as proxies to obscure their real location as they engage in tax return fraud and other criminal activity, courtesy of your not-so-smart WiFi-enabled tea kettle or home-automation system. An anonymous researcher tells Krebs he was able to track the various "honeypot" systems he configured as they were traded and sold as malware-infested proxies in exchange for bitcoin.

In short, flimsy Internet of Things security, combined with already often-dubious embedded security in routers, is kind of a throwback to the wild west of the 1990s when the idea of your mom's PC as a botnet participant was kind of novel. Krebs' source puts it this way:
"In a way, this feels like 1995-2000 with computers," my source told me. "Devices were getting online, antivirus wasn’t as prevalent, and people didn’t know an average person’s computer could be enslaved to do something else. The difference now is, the number of vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom software. Plus, what one person does can be easily shared to a small group or to the whole world."
And again, while the abysmal state of IoT security can often be funny, firms like Gartner predict that the population of Internet of Things devices will top 20.8 billion by 2020, up from 6.4 billion or so today. Researchers like Bruce Schneier have been warning for some time that the check is about to come due in the form of attacks that may put human lives at risk at an unprecedented scale, lighting a fire under researchers who believe that automated cyberdefense and self-healing network technologies we haven't invented yet are what stand between us and the not-so-smart device cyber apocalypse.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    TKnarr (profile), 18 Oct 2016 @ 5:45pm

    Configure to prevent exploitation at the source

    IoT devices should by default live on a separate subnet within the home network, ideally on a separate port on the router from the rest of the home LAN (VLAN tagging makes this easy, it's already used to isolate the WAN port from the LAN ports and WiFi network). WiFi devices should work on a separate WiFi network (the same way guest networks work). Restrict the IoT network so it doesn't have access to the Internet and in large part you cut off the ability to exploit IoT devices even if they're vulnerable.

    reply to this | link to this | view in chronology ]

    • icon
      dfed (profile), 18 Oct 2016 @ 6:27pm

      Re: Configure to prevent exploitation at the source

      While I agree with you, most of the design of the control software on these devices doesn't even assume that a home network would have more than 1 broadcast domain or subnet. This leads to apps not being able to connect from wireless if the IoT thing is on another subnet/etc.

      It causes some issues from time to time, especially when they auto-discover their counterparts or control devices on one subnet and don't think there might be another locally. I recently had an issue with chromecast like this: It was joined to the 2.4gHz wireless, which was technically being used as a sort of "device wifi" and my phone on the 5gHz wireless (on another subnet/vlan) wouldn't allow me to enter an IP - it just kept trying to search the one vlan/subnet.

      That was before they released chromecasts with 5gHz support, so maybe they fixed this, but things like these non-considerations for more complicated home networks turn me off to most IoT devices. That and I trust the security in them so little I doubt I would let the vlan they are on out to the internet, which probably breaks most of them.

      tl/dr: agreed, but that breaks a lot of the functionality of these things.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Oct 2016 @ 8:29am

      Re: Configure to prevent exploitation at the source

      So you want to take the I out of IoT? works great for all of your LoT (LAN of things) devices you have in your home while you are at your home. But what about that device you want to control remotely from your phone? At the point you want to turn off a light while not connected directly to your network you will need to put the I back in IoT.

      reply to this | link to this | view in chronology ]

    • identicon
      Vadim Rapp, 21 Oct 2016 @ 4:43am

      Re: Configure to prevent exploitation at the source

      > Restrict the IoT network so it doesn't have access to the Internet

      But the whole idea is to sell the customer the ability to monitor and control in-home devices from the outside. Within the home, what to do - install their app just to lower the temperature without standing up from the couch?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Oct 2016 @ 7:03pm

    You guys keep making it sound like these are home automation products in western countries. Apparently they are old routers and security cameras in predominantly third world countries that are the issue. There were no tea kettles involved.

    While this is a problem your coverage is portraying it falsely.

    reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 18 Oct 2016 @ 7:42pm

      Re:

      “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it."

      reply to this | link to this | view in chronology ]

  • identicon
    hated for reality, 18 Oct 2016 @ 8:27pm

    ever single person should read this

    who even spends time on the intertubes or interacts with computers at all

    http://www.stilldrinking.org/programming-sucks

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Oct 2016 @ 8:55pm

    anybody stupid enough to buy smart devices and appliances deserves what happens to them.

    the shame here is unrelated people being harmed.

    reply to this | link to this | view in chronology ]

  • icon
    Arthur Moore (profile), 18 Oct 2016 @ 9:17pm

    Random Default Passwords

    The worst part is most of the problem isn't even unpatched security vulnerabilities, it's default passwords.

    Many router manufacturers have at least gotten the message and burn a random default password into the rom. It goes on a sticker right next to the serial number.

    Sure, there are plenty of other vulnerabilities in these devices that will never be patched, but using a random password should cut out most of the malicious activity we see today.

    reply to this | link to this | view in chronology ]

  • icon
    mhajicek (profile), 18 Oct 2016 @ 9:55pm

    Liability

    If you leave a loaded gun on a playground you'll be held criminally liable when someone gets hurt. Why should these device manufacturers be treated any different?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Oct 2016 @ 10:56pm

      Re: Liability

      because they didn't leave it in the playground you did

      reply to this | link to this | view in chronology ]

    • icon
      Fuzzy Curmudgeon (profile), 20 Oct 2016 @ 7:18am

      Re: Liability

      Your conclusion doesn't follow. Leaving a loaded gun on a playground isn't the fault of the manufacturer, and indeed, in most if not all such cases of firearm misuse by the end user, the manufacturer is legally not liable (see 15 USC §§ 7901-7903).

      Likewise, if we follow your initial premise, getting your IoT device hacked because you were too stupid to change the default password or take other protective measures to prevent unauthorized access is not the fault of the manufacturer, particularly if as part of the setup instructions for the device, the manufacturer recommended changing the password or taking other protective measures.

      To make this work, you'd have to prove malicious intent or neglect on the part of the manufacturer, who in most cases could probably point to their operating instructions and shrug such charges off.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Oct 2016 @ 10:09pm

    Why are all these devices directly on Internet?

    No firewalls? No routers?
    You'd think everyone is putting the spare key under the doormat.

    reply to this | link to this | view in chronology ]

    • icon
      Arthur Moore (profile), 18 Oct 2016 @ 10:31pm

      Re: Why are all these devices directly on Internet?

      Because it's cheaper.

      Here's what the camera makers are doing at least:

      1. Auto register with a dynamic DNS provider. Giving the home network a stable address.
      2. Use UPNP to expose themselves to the internet.
      3. Practically shout that dynamic DNS address to any listening device on the local network.

      Now you can easily check your cheap WiFi camera from the smartphone app anywhere. All you need to do is run the app once while connected to the local network.

      The alternative is persistent connections and the vendor having to gasp actually maintain some infrastructure.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Oct 2016 @ 10:15am

      Re: Why are all these devices directly on Internet?

      Why are all these devices directly on Internet?

      No firewalls? No routers?

      Some of these devices are routers.

      It's bullshit to call this an SSH vulnerability. Perhaps enabling forwarding was an unwise default, but only authenticated users can use it. If SSH forwarding were disabled, the attackers could probably still log in as admin and enable SSH or other forwarding.

      The default password is the problem. SSH shouldn't be enabled until the owner sets a password. Or maybe for a minute or two after a button is pressed, so they can set the password in the first place.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Oct 2016 @ 11:47pm

    I'm confused

    From what I've read on Krebs and here amongst other places, most of the attacks on the common devices (Cameras, media players, other similiar devices) require the attacker to be able to hit the SSH port of the device.

    Surely ANY NATting router/firewall would block these attacks stone cold. If you can't probe the ports of the deivce, or hit it directly because it's behind a NAT, how does an attacker even know there's a device there to attack?

    And if you DO want to access the camera (for example) from the Internet, surely this requires doing a port forward of the streaming port on the NAT? E.g. if it's HTTP-based, you'd forward some random (but known to you) port on the router to the camera's (non-routable)IP:80? Since it's not the SSH port, the SSH attack can't be used.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 19 Oct 2016 @ 12:07am

    The IOT industry is afraid. I have seen its true face.

    The accumulated filth of all their greed and arrogance will foam up about their waists and all the heedless early-adopters and parsimonious developers will look up and shout Save us!... and I'll whisper no.

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 19 Oct 2016 @ 2:24am

    I assume ISPs will end up being forced to implement filters to outbound traffic to block such attacks. Of course given the implementation of other security and infra-structure improvements we'll have to wait for some serious financial damage before they actually do it.

    reply to this | link to this | view in chronology ]

    • identicon
      Bengie, 19 Oct 2016 @ 5:18am

      Re:

      At the rate backbone bandwidth is increasing, they will need to filter the data at the customer's connection. This means increased costs for modems and ONTs that support filtering.

      We're fast approaching a physics limit that we have to choose between moving the data faster or processing the data. Of course everyone wants to move more data. This is why people are talking about high speed photonic processing of route packets. This is very simple processing not capable of much more than route tables. Any filtering you try to place after will be like drinking from a firehose. Not even dedicated ASICs will be able to keep up.

      reply to this | link to this | view in chronology ]

      • icon
        Ninja (profile), 19 Oct 2016 @ 5:27am

        Re: Re:

        True enough. Still, an ISP can detect a large amount of traffic being directed at unusual targets. It's expected to have huge traffic towards Youtube but towards Krebs? You don't have to filter individual traffic as far as I can see. And once you identify these unusual traffic spikes you can identify who generated it and proceed to tackle the individual user issues (ie: get in touch and warn the user that the system detected malware traffic from their end). Users are generally not tech savvy so a little help won't hurt and it may help save resources for the ISP.

        Krebs is doing his job identifying both networks and devices that are more compromised. There's a Chinese network that is almost fully compromised. It's safe to say that blocking it all will help mitigate the problem for instance.

        reply to this | link to this | view in chronology ]

    • identicon
      Dave, 20 Oct 2016 @ 8:12am

      Re:

      Or wait for a hacker to cause devastation through an IoT enabled car :/

      reply to this | link to this | view in chronology ]

  • identicon
    Jim, 19 Oct 2016 @ 6:08am

    IdiOT

    I think you folks are having brain farts. Blaming it only on the refer, oven and poor routers. You forgot about the thermostat for your heating and redicously needs to be connected now light bulb. I still ask the question, at work, why the light bulb gets priority over my connection to Facebook? Or why does the refer get priority over the bosses connection to porn?

    reply to this | link to this | view in chronology ]

  • icon
    Hazel (profile), 19 Oct 2016 @ 6:49am

    cant beat hackers

    hi

    I think the hackers always use such tricks that are not easily track able by the internet security companies.
    There are still many ways in this modern age to hack.
    so its very difficult to beat the hackers

    reply to this | link to this | view in chronology ]

  • identicon
    Vadim Rapp, 21 Oct 2016 @ 4:48am

    Without forwarding the port?

    Even if the password is default, and even if the device has access to WAN, don't you have to create the rule on the router forwarding incoming traffic on this specific port to the device?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.