Attackers are using a 12-year old open source bug to recruit an army of millions of internet-connected devices to launch powerful traffic attacks against targets.
Researchers at Akamai have discovered that online criminals are using a bug that was addressed more than a decade ago is now causing Internet of Things (IoT) devices to sling junk traffic at select targets.
The attacks rely on IoT devices deployed with default configurations, such as not requiring a password for connections using the Secure Shell (SSH) protocol, or factory-set credentials that are shared among potentially millions of devices.
Attacks seen by Akamai have used video surveillance equipment such as CCTV cameras and digital video recorders (DVRs), satellite antenna kit, home routers, and network attached storage devices.
Akamai says the compromise of these devices is linked to a 12-year old bug in OpenSSH, a widely-used set of tools maintained by the OpenBSD project for encrypting traffic on the web.
It calls the bug “SSHowDowN Proxy”, however notes the issue is not due to a flaw in OpenSSH, but rather default configurations that allow the devices to be used as a proxy for sending malicious traffic.
Most internet users probably aren’t familiar with the name Akamai, but likely enjoy faster access to sites they visit thanks to its network of data centers that help websites deliver content from distant servers faster.
While Akamai is better known as a content deliver network (CDN), in recent years it’s seen faster revenue growth in services that cover customers from distributed denial of service (DDoS) attacks that use junk traffic, typically corralled from hijacked servers, PCs and other devices.
The company provided DDoS protection to krebsonsecurity.com, a blog operated by cybercrime reporter, Brian Krebs. However it recently quit providing protection to the site due the cost of mitigating an attack on Krebs’ site that was launched via a network of hundreds of millions of compromised IoT devices, such as surveillance cameras.
Shortly after Krebs unmasked two people behind an Israel-based “stresser” or DDoS-for-hire service, the site came under an attack that peaked at 600Gbps, believed to be the largest on record. The compromised IoT devices used in the attack were deployed with default configurations.
Eventually Google, which earned $75bn last year compared to Akamai’s $2bn, stepped in to help Krebs via its freedom of expression protection service Project Shield.
The scale of the attack on Krebs’ site raised new questions about IoT devices and the difficulties associated with securing them.
As security expert Bruce Schneier noted of the attack, DDoS is not new, but the case represented a market failure that required government intervention.
“What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own,” he wrote.
A more detailed report of SSHowDowN Proxy is available here on Akamai’s website.