As the IoT reels from the real-world vulnerabilities (predicted by this outlet and everyone else that was paying attention) like Mirai and SSHowDowN, some security companies are coming out to tell customers that they were watching, and have solutions.
Lexumo, developer of an automated service for continuously monitoring IoT code for critical open source vulnerabilities, has announced that its cloud-based platform has been constantly protecting customers from the SSHowDowN vulnerability for quite some time.
Akamai (News - Alert) last week reported that hackers are exploiting the 12-year old OpenSSH vulnerability to mount mass-scale attacks from millions of compromised IoT devices, including routers, cable modems, satellite TV equipment, and IP-connected cameras, DVRs and NAS (Network Attached Storage) devices. The attacks create unauthorized SSH tunnels which are then used to route malicious traffic against victim sites while hiding the attackers' identities. Attackers also use the devices as beachheads to launch internal attacks against corporate networks.
Lexumo says it uses graph analytics and machine learning developed for DARPA to precisely identify public vulnerabilities such as Heartbleed, Shellshock (Bashdoor), and SSHowDowN in IoT code. The platform also provides detailed instructions for remediating vulnerabilities in order to avoid their exploitation by cyberattackers.
“Cyberattackers look for the path of least resistance – and vulnerabilities that have been around for years are a great place to start,” said Richard Carback, co-founder and Chief Architect, Lexumo. “Unlike with zero days, information about public open source vulnerabilities is broadly available via public message boards and email lists. Many IoT devices are particularly vulnerable because they haven't been designed with security in mind, so there's a good chance this type of attacker technique will become significantly more popular in the future. It would seem like a minimum standard of due care for manufacturers to use automation to ensure they're not shipping devices with vulnerabilities like SSHowDowN.”
The impact of shipping insecure IoT devices was also illustrated a few weeks ago when cyberattackers exploited vulnerabilities in 1.5 million IoT devices to generate the world's most powerful Distributed Denial of Service (DDoS) attack to date. The unprecedented attack successfully disabled the website of well-known security researcher Brian Krebs. Cyberattackers also leveraged their massive botnet army to launch a separate DDoS attack on European ISP OVH that reached nearly one terabit per second (Tbps).
Meanwhile, the Mirai DDoS Botnet is now reportedly infecting Sierra Wireless gateways. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security advisory warning saying that a variety of IoT devices are targeted because they use default factory credentials, which are easily available online.
Lamar Bailey, Senior Director of Security Research and Development, Tripwore recently said, “Botnets are having great success taking advantage of the IoT explosion we have seen over the last few years. The number of connected devices in the average home has skyrocketed to numbers previously seen in small offices. With this rush to get new devices to market we find the consumer devices are not as secure as people assume. Many of the devices lack some of the fundamental security controls like requiring default password changes or using unique passwords for each device. The average home user just sets up the device per the install instructions and trusts it is secure. Botnets can use these default credentials to harvest hundreds or thousands of bots to focus on a target in a DDoS attack. The attacks are more successful because they come from a larger area and this makes them harder to mitigate.”
The short version is this: developers need to stop ignoring this issue or making it an afterthought and OEMs need to refuse to put products into the marketplace with known and obvious vulnerabilities built in. Even if that does slow the release or hurt the bottom line, short term.
You’re killing me, smalls.