Do you feel your internet connected devices spying you? Maybe it really spying you. Internet of Things devices is so badly insecure, because of default password and unencrypted API processing. IoT devices now being a definitive target for hackers to set botnet and launching Distributed Denial of Service (DDoS) attacks against target services.

New research based on PDF published by Akamai Technologies show how new unknown threat actor (or you can simply called it ‘hackers’) are using a 12 year old vulnerability in openSSH to secretly gain control of million of connected devices that arrive with unpatched version of openSSH server.

Hackers use those devices into proxies for malicios traffic to attack other internet-based targets and other internet-facing services, along with the internal networks that host them. A true, Internet of Unpatchable Things disaster.

The bug itself is dubbed as SSHowDowN Proxy and specifically makes use of IoT devices such as:

  • Internet-connected Network Attached Storage (NAS) devices.
  • CCTV, NVR, DVR devices (video surveillance).
  • Satellite antenna equipment.
  • Networking devices like routers, hotspots, WiMax, cable and ADSL modems.
  • Other devices could be susceptible as well.

However, after analyzing IP addresses from its Cloud Security Intelligence platform, Akamai estimates that over 2 Million IoT and networking devices have been compromised by SSHowDowN type attacks.

Due to lax credential security, hackers can compromise IoT devices and then use them to mount attacks“against a multitude of Internet targets and Internet-facing services, like HTTP, SMTP and network scanning,” and to mount attacks against internal networks that host these connected devices.

Once hackers access the web administration console of vulnerable devices, it is possible for them to compromise the device’s data and, in some cases, fully take over the affected machine.

While the flaw itself is not so critical, the company says the continual failure of vendors to secure IoT devices as well as implementing default and hard-coded credentials has made the door wide open for hackers to exploit them.