Brian Jackson - Fotolia

Hackers leverage 12-year-old OpenSSH vulnerability for IoT attack

Akamai researchers discovered how unknown threat actors are using an SSH flaw to secretly gain control of IoT devices and turn them into proxies for malicious traffic.

Akamai Technologies this week warned of threat actors leveraging an ancient OpenSSH vulnerability to stage IoT...


The Akamai Threat Research team issued a security advisory that described how unknown threat actors had taken control of IoT devices to generate malicious traffic. But this IoT attack was different than the potent DDoS attacks last month that slammed infosec journalist Brian Krebs' website. Akamai said it discovered this particular attack was using compromised IoT devices to act as proxies for malicious traffic.

"This was discovered right before the attacks on Krebs," said Ryan Barnett, principal security researcher at Akamai, who contributed to the security advisory. "Although IoT devices were also used in this attack, it was a different threat actor and different technology involved, so we wanted to make a clear separation between this and the [Mirai IoT malware]."

The attack, which Akamai dubbed "SSHowDowN Proxy," uses different types of IoT devices, from Wi-Fi routers and internet-connected network attached storage (NAS) devices to DVRs and wireless cameras. More importantly, the SSHowDowN Proxy attack exploits a default configuration flaw in OpenSSH that was first discovered and addressed in 2004.

"We let some of the [IoT] companies know what was happening, and they immediately asked if they needed a CVE for this vulnerability," Barnett said. "And we told them, no, there already is an entry. This is a 12-year-old vulnerability."

Akamai's security advisory said SSHowDowN Proxy was being used to mount "attacks against any kind of Internet target and against any kind of internet-facing

service such as HTTP, SMTP and network scanning." The report also stated that the attacks could be used against internal networks that host the connected devices.

Akamai had been tracking IoT-enabled attacks for some time; Barnett wrote a blog post in June about massive credential stuffing attacks that targeted two Akamai customers, and compromised home network devices were suspected to be involved. "We had seen a huge spike in attacks using credential stuffing against our clients," he said. "It was on our radar, and we knew that something different was happening with these increasingly powerful attacks."

According to Akamai's report, researchers discovered that some of the malicious traffic originated from a network video recorder (NVR). The research team checked the NVR for unauthorized users but found none logged into the device. But the team then discovered that a remote actor had taken control of the device and was using the device's SSH daemon to generate HTTP traffic. The device should have denied access to any remote user attempting to use an SSH tunnel to access the device and execute commands – even if the user had the factor default username and password, which in this case was "admin:admin."

However, the OpenSSH vulnerability allows TCP forwarding, which Akamai said made the authentication hardening of the device useless. Akamai found that attackers were exploiting the vulnerability to use remote SSH connections and turn the devices into hidden SOCKS proxies for malicious traffic.

Barnett said SSHowDowN Proxy makes detecting and addressing malicious traffic much more challenging. "It makes it much harder, for example, to do IP address blocking because these attacks can camouflage the bad traffic within the normal, good traffic of the device," he said.

Akamai's security advisory also noted that one network device vendor, Ruckus Wireless, the Sunnyvale, Calif. wi-fi networking manufacturer, had identified the potential risk of unauthenticated TCP tunneling through the SSH daemon and issued an advisory on the risk in 2013. However, Ruckus Hotspot products were one of five devices identified by Akamai as being vulnerable to the SSHowDowN Proxy attack; the other four were NUUO NVRs, Intellian satellite antennas, GreenPacket WiMax routers and Synology NAS products.

Barnett said new devices are being shipped with the OpenSSH vulnerability, and the majority of the products don't have any way for end users to fix the flaw themselves. "This vulnerability could potentially cause problems even if you change the factory default password of the device," he said. "There might be some devices that need SSH, but a lot don't. And even if they do need SSH, they don't need TCP forwarding to be enabled."

Akamai said it is "currently working with the most prevalent device vendors on a proposed plan of mitigation." In the meantime, Akamai recommended that end users always change the factory default credentials of any internet-connected device; disable SSH services on the devices unless they are required to operate; and establish firewall rules that prevent SSH access to and from IoT devices.

The company also recommended that vendors of internet-connected devices avoid shipping such products with undocumented accounts; force users to change the factory default credentials after installation; prohibit TCP forwarding; and provide a process that allows users to update the SSH configuration in order to mitigate similar vulnerabilities. 

Next Steps

Read more on assessing and remediating SSH security risks

Learn how to improve SSH security for cloud environments

Find out about the IoT security risks facing enterprises

Dig Deeper on IoT security issues