Akamai Finds 2 Million Devices Have Longtime Security Flaws

New research from the content delivery network Akamai takes a closer look at how hackers are abusing weaknesses in a cryptographic protocol to commandeer millions of ordinary connected devices—routers, cable modems, satellite TV equipment, and DVRs—and then coordinate them to mount attacks. After analyzing IP address data from its Cloud Security Intelligence platform, Akamai estimates that more than 2 million devices have been compromised by this type of hack, which it calls SSHowDowN. The company also says that at least 11 of its customers—in industries such as financial services, retail, hospitality, and gaming—have been targets of this attack.

The exploited protocol, called Secure Shell (SSH), is commonly used to facilitate remote system access and can be implemented robustly. But many IoT manufacturers either don’t incorporate it or are oblivious to the best practices for SSH when setting up default configurations on their devices. As makers scramble to bring their products to market, these oversights sow widespread insecurity in the foundation of the Internet of Things.

The Akamai researchers found that hackers have been able to establish unauthorized SSH connections, called “tunnels,” with IoT devices to then route malicious traffic as part of command and control infrastructure. Akamai observed this strategy being used for attacks like credential stuffing, in which attackers set up an automated system for trying to get into customer accounts on a site using credential pairs leaked in previous data breaches.

Akamai has recommended manufacturers to build in prompts for customers to change default administrator credentials, disabling SSH on devices unless it’s specifically needed, and creating ways for devices to easily receive configuration updates. For customers, the company advises changing factory default usernames and passwords when possible, disabling SSH traffic on home networks, and creating firewall restrictions on inbound and outbound SSH access if applicable. One major concern remains that unlike having their Facebook account hacked, the average person will likely never realize that their IoT devices have been compromised in this way, even if it happens to them.

Even if it’s a disturbing awakening, IoT devices now number in the tens of billions, and it’s time to protect them.