SSHowDowN Flaw Found In Internet of Things Devices

Andrew Orr In the News

Content delivery network Akamai found a security flaw, SSHowDowN, affecting over two million devices. The company says multiple clients have become targets.

Further Reading

New Router Hack Discovered That Targets Port 7547

Don’t Look, But Your Wi-Fi Router Is Spying On You

SSHowDowN Flaw

Akamai found a way [PDF] in which hackers can exploit a particular weakness in OpenSSH (CVE-2004-1653). Millions of internet-connected devices use crypto. An attacker can use these flaws to take over these devices. Then combine their power into a single attack, like a botnet.

This particular hack has a name: SSHowDowN. Akamai says that 11 of its customers have been targets, coming from industries like financial services, retail, hospitality, and gaming.

Types of Vulnerable Devices
  • CCTV, NVR, DVR
  • Satellite TV Equipment
  • Networking devices like routers, hotspots, WiMax, ADSL modems
  • Network Attached Storage devices

SSHowDowN—via Akamai

Types of Attacks
  • Attacks against any internet target or internet-facing services like HTTP, SMTP and Network Scanning
  • Attacks against internal systems that host these devices

Akamai’s Threat Research team found that hackers used unauthorized SSH tunnels. IoT devices are hardened and don’t allow the default web interface user to use SSH. However, SSHowDowN bypasses this.

SSH, or Secure Shell, is usually used for remote system access. But most IoT companies either don’t use it or don’t use best practices when setting it up. As the Internet of Things gets bigger, so does the spread of critical flaws such as SSHowDowN.

Martin McKeay, a security advocate at Akamai, said:

“This is something we’ve known about for a dozen years..it should not be happening…these products have to be thought through and protected before they get into the home.”

In one example, Akamai found that hackers used an admin account to authorize an SSH tunnel to a network video recorder. Then they used the recorder to send malicious traffic. This hides the real source of the attack.

SSH Daemon—via Akamai

Protect Yourself

Akamai gives instructions to users and vendors for protection.

End Users
  • Always change factory default settings for username/password.
  • Unless you need it, disable SSH services. If you do need it, put “AllowTcpForwarding No” into sshd_config.
  • Use an inbound firewall to prevent SSH access coming into your device outside of a trusted IP space.
  • Use an outbound firewall to prevent the use of SSH tunnels.
Vendors
  • Don’t ship IoT devices with undocumented accounts.
  • Disable SSH on devices unless required.
  • Make sure users change factory default settings after installation.
  • Configure SSH to prevent TCP forwarding.
  • Give users a secure process to update ssh config, so they don’t have to wait for a firmware patch update.