SSHowDowN Proxy attacks – A 12-Year-Old SSH bug exposes more than 2M IoT Devices

The new attack was dubbed by the experts SSHowDowN Proxy because attackers are able to use the compromised IoT devices as proxies for malicious traffic. The SSHowDowN Proxy attack exploits the CVE-2004-1653 flaw to enable TCP forwarding and port bounces when a proxy is in use.

Akamai confirmed that at least 11 of its customers in various industries, including financial services, hospitality, retail, and gaming have been hit with of SSHowDowN Proxy attacks.

“Given credentials for a user account, often unchanged or unchangeable in IoT deployments, an attacker can use the-D or -L flags to ssh in order to turn the victim machine into a proxy (see diagram below) The -N flag can be added to prevent launching one of the disabled shells.”

The recent SSHowDowN Proxy attacks leverage on a wide range of connected devices, including:

• CCTV, NVR, DVR devices (video surveillance).
• Satellite antenna equipment.
• Networking devices (e.g. Routers, Hotspots, WiMax, Cable and ADSL modems, etc.).
• Internet-connected NAS devices (Network Attached Storage).

Akamai estimates that over 2 Million IoT devices and networking systems have been already compromised by SSHowDowN type attacks.

Unfortunately, the vast majority of devices is exposed due to lax credential security, it is quite common to find smart objects configured with vendor default passwords or keys. Another shocking error is that some vendors still implement default and hard-coded credentials.

The attacker used the password to remotely access the IoT devices and take full control over the system.

“New devices are being shipped from the factory not only with this vulnerability exposed but also without any effective way to fix it. We’ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.” explained Eric Kobrin, senior director of the Akamai Threat Research team.

The first suggestion to mitigate the threat is to change the factory default credentials of your IoT device and disable, if possible, SSH services they expose.

Another defense measure could be the adoption of firewall that uses specific rules to manage SSH accesses to the devices.

Vendors of smart objects are recommended to:

• Avoid shipping such products with undocumented accounts.
• Force their customers to change the factory default credentials after device installation.
• Restrict TCP forwarding.
• Allow users to update the SSH configuration to mitigate such flaws.

There is no time to waste, it is crucial to adopt a security by design approach to protect billion of connected devices that are already surrounding us!

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SSHowDowN Proxy, hacking)