October 14, 2016
New research from Akamai Technologies reveals that hackers are remotely taking over DVRs, satellite antennas and networking devices to steal massive numbers of login credentials. The company says that, in recent months, hackers have plundered as many as two million so-called smart devices in “credential stuffing campaigns,” which means they test whether the compromised user names and passwords can access other websites. Among the devices hacked are Ruckus Wireless Wi-Fi hot spots from Brocade Communications.
The Wall Street Journal quotes Akamai researchers who described the scenario: “Once malicious users access the Web administration console of these devices they can then compromise the device’s data and in some cases, take over the machine,” adding that the proliferation of smart devices has led to increased problems.
For example, although Ruckus first issued a security advisory in 2013, the problem has reemerged. Johnson & Johnson also warned doctors and diabetes patients that one of its insulin pumps could be attacked.
Over the years, banks and retailers “have grown better at recognizing login attempts from suspicious Internet addresses … but using connected devices as proxies opens a new avenue” for hackers to steal important data as well as exploit “the factory settings of connected devices.” In one instance last month, they “used as many as one million security cameras, digital video recorders and other infected devices to knock websites offline.”
Secure shell protocol (SSH) — which most computers use to handle login requests — has proven to be a weak link, says Akamai research, which adds that port forwarding also allows hackers “to turn the machines into relays for their attacks.”
Hackers also count on the fact that, “millions of connected devices ranging from home routers to security cameras ship with the same default username and password, making it easy for attackers to gain control.” Users are unaware of the hack “because the traffic flowing through their machine doesn’t interfere with normal use.”
Akamai security researcher Ryan Barnett says that, “experts have known about SSH’s vulnerability since 2004, though they only recently discovered its frequent use in real-world attacks.” Although “some security experts have urged device makers to add stronger protections into their products, warning that inaction could make government regulators intervene,” Consumer Technology Association executive Brian Markwalter says government regulation is unnecessary and that his group will “address security issues.”
One Day, Cars Will Connect With Your Fridge and Your Heartbeat, The New York Times, 10/14/16