Menu

IoT FEATURE NEWS

Unpatched IoT Vulnerabilities are Still a Big Problem, Akamai Research Says

By

The Mirai DDoS attack, using unsecured IoT devices as a vector, has hopefully awakened the industry to the necessity of incorporating security into solutions. Not as an afterthought, but as a business-critical function of all development from here on out. And, if you’re still not convinced, don’t worry there’s more to come.

Akamai Technologies, a provider of content delivery network (CDN) services, has published new research from its Threat Research team in which researchers Ory Segal and Ezra Caltum have identified several recent attacks leveraging a 12-year old vulnerability in OpenSSH to compromise IoT devices. The tem is calling it the SSHowDowN Proxy. A full report detailing the attacks is available for download here.

This research is not about a new vulnerability. In fact, it’s worse. This is a long-standing and continuing weakness in many default configurations of Internet-connected devices. The company says that this type of attack is now actively being exploited in mass-scale attack campaigns against its customers.

The report details that these SSHowDowN Proxy attacks originate from the following types of devices: CCTV, NVR, DVR devices (video surveillance); satellite antenna equipment; Networking devices (Routers, Hotspots, WiMax, Cable and ADSL modems); and Internet-connected NAS devices (Network Attached Storage).

Compromised devices can be and are being used to mount attacks against Internet targets and Internet-facing services like HTTP, SMTP and Network Scanning, and against the internal networks that host these connected devices.

“We're entering a very interesting time when it comes to DDoS and other web attacks; ‘The Internet of Unpatchable Things’ so to speak,” said Ory Segal, senior director, Threat Research, Akamai. “New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Akamai also recommended several ways to address this vulnerability. It’s important to change SSH password sand keys from the vendor defaults, of course, and if the device can offer file system access, there are coding solutions, including: adding “AllowTcpForwarding No” into the global sshd_config file, and adding “no-port-forwarding” and “no-X11-forwarding” to the ~/ssh/authorized_ keys file for all users.

If you can’t use either of the above fixes, or if SSH access is not required for normal operations, just go ahead and disable SSH entirely via the device's administration console.

Devices located behind a firewall can be protected by disabling inbound connections to port 22 and allowing only the minimal set of required ports to operate outbound traffic.

This stuff is no longer optional, so get off your complacent laurels and stop talking about how important security is to your company, because you aren’t doing enough. 




Edited by Stefania Viscusi

Editorial Director

SHARE THIS ARTICLE
Related Articles

Constantly tracking anything, anywhere

By: Special Guest    6/3/2020

Not only does the IoT herald in greater visibility of production asset effectiveness, improve operational efficiencies, and facilitate more informed d…

Read More

CEO Interview: Cloud of Things Grants Wishes with Genie

By: Shrey Fadia    6/2/2020

From the Israeli Army to the Bank of Israel to IoT Company, CEO sets sights on software.

Read More

Aeris Joins 5G Open Innovation Lab as a Technology Partner

By: Ken Briodagh    6/2/2020

Aeris will provide IoT technical consulting to Seattle-based Lab to support 5G-related app development

Read More

Plug and Play Grows in Popularity on the Azure IoT Marketplace

By: Arti Loftus    6/2/2020

Microsoft Azure is becoming increasingly popular among IoT developers as a platform for creating then scaling new applications.

Read More

IoT Time Podcast S.5 Ep.19 Great Lakes Water Authority

By: Ken Briodagh    5/29/2020

In this episode of IoT Time Podcast, Ken Briodagh sits down with Ali Abdallah, Engineer and Infrastructure Manager at the Great Lakes Water Authority,…

Read More