Is your connected coffee machine or thermostat spying on you? Perhaps.
Akamai researchers Ory Segal and Ezra Caltum on Wednesday said they have identified several recent hacks of Internet of Things (IoT) devices that allowed hackers to remotely create "attack traffic." Hackers are using a 12-year-old vulnerability in OpenSSH, or SSHowDowN Proxy, to attack everything from routers to video surveillance equipment and network attached storage.
"We're entering a very interesting time when it comes to DDoS and other web attacks; 'The Internet of Unpatchable Things' so to speak," Segal, senior director of threat research at Akamai, said in a statement. "New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
Recommended by Our Editors
According to the researchers, hackers are identifying devices that use OpenSSH. They then use the devices to attack Internet-based services using HTTP, SMTP, and Network Scanning. The hackers can also use the vulnerability to wreak havoc on an internal network.
"Once malicious users access the web administration console, they have been able to compromise the device's data and, in some cases, fully take over the machine," Akamai said.
For now, Akamai hasn't said how the problem could be patched, but did offer some mitigation options, including changing SSH passwords from vendor defaults and stopping port and TCP forwarding. The researchers also recommended disabling certain outbound connections in a firewall and disabling SSH entirely, if all else fails.