Earlier this week, Akamai released threat research relating to the recent string of DDoS attacks that make use of IoT devices by exploiting security weaknesses in their factory settings. In the report, Akamai provided information about how IoT devices are being accessed by remote users and how to prevent future attacks, which are certain to become increasingly common as the source code for Mirai, the malware responsible for the largest of the IoT DDoS attacks, was released on Hackerforums earlier this month.
The research team, led by Ory Segal and Ezra Caltum, list the primary issue allowing for penetration of IoT devices as a vulnerability in OpenSSH that they have dubbed SSHowDowN Proxy. While SSH (Secure Shell Protocol) is intended to prevent remote users from accessing protected devices, TCP port forwarding, which is allowed by default in SSH, can be exploited by hackers to turn a device into a proxy for malicious activity. According to Akamai’s reports, a handful of SSH options used in tandem with each other can remove the remote login restrictions and allow these supposedly hardened devices to be compromised by anyone with access to their publicly listed login credentials.
To protect against these vulnerabilities, Akamai recommends that users take the following steps for all Internet-connected devices:
- Change the factory-default credentials.
- Disable SSH service if it is not required for normal operations. If SSH is required, put “AllowTcpForwarding No” into sshd_config.
- For firewall users, establish inbound rules to prevent SSH access to your devices from outside of a trusted IP space, and establish outbound rules to prevent connection to IoT devices outside of the minimal set of ports and IP addresses required for day-to-day operation.
While the recommendations will certainly help to bolster security of individual IoT devices, whether they will significantly impact the ecosystem will depend on how informed and tech-saavy end-users are. Even for users who are eager to increase security measures, doing so on IoT devices can be tricky or ineffective for several reasons. First, changing a device’s default password on a Web interface might not prevent hackers from gaining access since the command-line, text-based interfaces used in SSH may still recognize the default credentials as valid.
In addition, an analysis published by Flashpoint Intel that shows the devices made by XiongMai Technologies can be accessed without the use of any login credentials, simply by navigating to the page “DVR.htm” prior to login. Second, devices frequently require firmware updates in order to fix known security issues, but unlike software updates, which are largely automated, firmware updates are frequently inconvenient or difficult to install. In addition, some companies even fail to adequately alert their customers to the existence of updates.
Taking all this into account, it’s clear that even the most security-conscious users won’t be able to fully thwart attacks on their devices; manufacturers must immediately take action to remove these long-standing vulnerabilities from their products and guard against these rising security threats. Akamai is currently working with vendors on a plan to mitigate the damage, but in the meantime they make the following recommendations to device vendors:
- Avoid shipping Internet-connected devices with undocumented accounts
- Disable SSH on devices unless absolutely required for normal operations
- Force users to change default account credentials after installation
- Configure SSH to disallow TCP Forwarding
- Provide a secure process for end-users to update sshd configuration so that they do not have to wait for a firmware patch to mitigate future vulnerabilities.
Although conscientious manufacturers can use these recommendations as a blueprint for improving their devices’ security, others may require more significant prodding before making a change. In the wake of the attacks against KrebsOnSecurity, several of the companies responsible for manufacturing compromised devices have been outed as responsible parties. One such company, the Chinese hi-tech manufacturer Dahau, responded to media coverage about the security of their hardware by passing the buck to its users, insisting that the devices infected all maintained the factory default credentials, had firmware dating before 2015, and were not under the protection of a firewall.
However, as KrebsOnSecurity notes, “Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via telnet and SSH and because the default password can’t effectively be changed.” Dahau further claimed that none of the recent attacks had, to their knowledge, affected devices of theirs that were deployed in North America, although manufacturer information derived from the username/password pairs included in the Mirai source code and Flashpoint’s analysis of the Mirai attacks suggest otherwise.
Given a massive user base that is unlikely (and in some cases, unable) to consistently and effectively guard against vulnerabilities and manufacturers that seem unwilling to remove vulnerabilities from their products, what options remain for preventing large-scale IoT DDoS attacks, moving forward? Government intervention is a possibility, and the EU is currently at work drafting new cybersecurity requirements and has proposed a system that uses the EU energy-consumption rating system as a template for how cybersecurity ratings could be applied.
On the server side, we have proposed Google help thwart attacks by becoming a DDoS wholesaler and renting its infrastructure capacity to CDNs to help mitigate large-scale attacks. Finally, a third option exists in the efforts to research, out, and shame the various hosting providers and ISPs that are not taking steps to control attacks by filtering spoofed traffic on their sites.
In the absence of any major reformation developments, however, the potential for a larger attack grows larger by the day, with pervasive malware scanning constantly seeking to infect the estimated 5.5 million new things that are connected each day.