Akamai Threat Advisory

SSHowDowN Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns

By Ezra Caltum & Ory Segal, Akamai Threat Research
Issue Date: 10.11.16

Executive Summary

How many times do end users think about the factory default settings of their Internet-connected devices? Perhaps we all should. The Akamai’s Threat Research team recently reported on a case where millions of Internet-connected (IoT) devices were being used as the source for web based credential stuffing campaigns. When we dug a little deeper, we found evidence that these IoT devices were being used as proxies to route malicious traffic due to some default configuration weaknesses in their operating systems.

While this has been reported before, the vulnerability has resurfaced with the increase of connected devices. Our team is currently working with the most prevalent device vendors on a proposed plan of mitigation. We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of Internet-connected devices, which is actively being exploited in mass scale attack campaigns against Akamai customers.

We observed SSHowDowN Proxy attacks from the following types of devices, and other devices types are likely vulnerable as well. 

  • CCTV, NVR, DVR devices (video surveillance) 
  • Satellite antenna equipment 
  • Networking devices (e.g. Routers, Hotspots, WiMax, Cable and ADSL modems, etc.) 
  • Internet connected NAS devices (Network Attached Storage)

Vulnerable connected devices are being used for: 

  1. Mounting attacks against any kind of Internet target and against any kind of Internet-facing service such as HTTP, SMTP and Network Scanning 
  2. Mounting attacks against internal networks that host these connected devices

Once malicious users access the web administration console of these devices they can then compromise the device’s data and in some cases, take over the machine.

In this case, unauthorized SSH tunnels were created and used, despite the fact that the IoT devices were supposedly hardened and do not allow the default web interface user to SSH into the device and execute commands. Due to this, we feel compelled to reiterate the warning.

How to Protect Yourself

End users: 

  1. Always change factory-default credentials of any Internet-connected device 
  2. Unless required for normal operation, completely disable the SSH service on any Internetconnected device. If SSH is required, put “AllowTcpForwarding No” into sshd_config. 
  3. Consider establishing inbound firewall rules preventing SSH access to your IOT devices from outside of a narrowly trusted IP space, such as your own internal network. 
  4. Consider establishing outbound firewall rules in place for IOT devices at your network boundary, preventing tunnels established from resulting in successful outbound connections.

Device vendors: 

  1. Avoid shipping Internet-connected devices with undocumented accounts 
  2. Disable SSH on devices unless absolutely required for normal operations 
  3. Force users to change factory default account credentials after initial installation 
  4. Configure SSH to disallow TCP Forwarding 
  5. Provide a secure process for end-users to update sshd configuration so that they may mitigate future vulnerabilities without having to wait for a firmware patch.

Technical Details

Recently, Akamai’s Threat Research Team, and other multiple security vendors and research teams, reported on a trend where IoT devices are being exploited in order to mount attacks against third party victims. These devices were leveraged to conduct a mass-scale HTTP-based credential stuffing campaigns against customers.

We would like to emphasize that this is not a new type of vulnerability or attack technique, but rather a weakness in many default configurations of IoT devices. In fact, several articles were previously released, all touching similar topics. For example:

  • A blog post by Brian Krebs (“IoT Reality: Smart Devices, Dumb Defaults”) 
  • An article by Jeff Huckaby, which describes how hackers are using SSH tunnels to send spam 
  • CVE-2004-1653, which was published against OpenSSH for allowing TCP forwarding by default, and the risk this causes for service accounts designed to not allow normal shell access 
  • Jordan Sissel wrote an article discussing the dangers of using /bin/false 
  • Joey Hess discusses the insecurity involved in the default SSH TCP forwarding configuration in his blog

After analyzing large data sets from Akamai’s Cloud Security Intelligence platform, we discovered several common features, which led us to believe that the IoT devices were being used as proxies to route malicious traffic against victim sites.

In order to prove our hypothesis, we acquired and installed identical devices that were used in the attacks, in a connected threat research lab, and decided to work to uncover the root cause and techniques used by the attackers, in order to find out how we can better protect ourselves, our customers and all IoT device users.