Skip to main content

Hackers use SSH to control connected devices for brute-force attacks

akarnai ssh report brute force credential stuffing internet devices data center feat
Image used with permission by copyright holder
Content delivery network service provider Akamai Technologies released a new report on Wednesday (PDF) stating that hackers are taking advantage of a 12-year-old vulnerability in OpenSSH to gain control of internet-connected devices for mass-scale attack campaigns. The company dubs these attacks as “SSHowDowN Proxy,” which for now seem focused on using video surveillance devices, satellite antenna equipment, network devices, and internet-connected network-attached storage units.

According to the company, these compromised devices are used as proxies to attack a number of internet-based targets and “internet-facing” services, as well as the internal networks that host them. Hackers are actually gaining control of the devices by accessing their low-level command line console that still relies on the factory-shipped default login credentials provided by the vendor.

Recommended Videos

SSH stands for Secure Shell, and is a cryptographic network protocol that provides a secure channel, enabling services like remotely accessing a desktop residing on a home network from a public Wi-Fi access point. This protects data like usernames and passwords as the information travels across the internet. But this protocol isn’t completely secure, and Edward Snowden even indicated that the NSA could decrypt some SSH traffic.

Please enable Javascript to view this content

Akamai began its investigation after it noticed active malicious HTTP/HTTPS traffic stemming from a third-party Network Video Recorder device targeting customer accounts. After determining that there were no unauthorized users accessing its network, the company then listed the device’s live network connections and their associated process IDs. The results showed that someone was running SSH connections using the default “admin” credentials provided by the manufacturer.

The thing is, the admin/admin credentials, by default, only allows web-based access to the machine, and does not provide SSH-level access. Whoever accessed the NVR machine took advantage of several SSH options to get past the default credential restriction. After that, the hacker set up the device as a proxy server, which establishes a TCP connection to a legitimate server from a remote client. Thus, any attack on a network would appear to stem from the NVR machine itself.

With all of this in mind, the company turned to other internet-connected devices to see if they have the same problem. In addition to the group of devices listed above, the company also saw that many units had additional weak points where a hacker wouldn’t need credentials at all to gain access to the device. For instance, one popular router has a “root” privileged user account while a common wireless hot spot doesn’t require a password for SSH connections.

As previously stated, the capability of this attack isn’t just internet-based. SSHowDowN Proxy could be used internally on a home or office network too.

“We managed to confirm and validate the feasibility of this severe abuse-case in our lab environment, and believe that malicious users are and will continue to actively exploiting this to penetrate private networks.”

So what are hackers actually doing with these devices? In the case of Akamai Technologies, they’re trying to break into customer accounts by way of a “credential stuffing” attack. They have gained access to username/password pairs and are automatically injecting the information via brute force at the account login page.

Although the report focuses on Akamai customers, the problem extends beyond the company’s user base. Akamai suggests that consumers change the default credentials of their internet-connected devices, and to make specific changes if the device offers direct file system access. Consumers are also suggested to disable SSH if the feature is not required.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Chrome incognito just got even more private with this change
The Chrome browser on the Nothing Phone 2a.

Google Chrome's Incognito mode and InPrivate just became even more private, as they no longer save copied text and media to the clipboard, according to Windows Latest. The changes apply to Windows 11 and 10 users and were rolled out in 2024. However, neither Microsoft nor Google documented it.

Even though this change is not a recent feature, it's odd that neither tech giant thought it was worth mentioning. Previously, the default setting was that when a user saved text or images to the clipboard history, it was synced with Cloud Clipboard on Windows. Moreover, accessing this synced content was as simple as pressing the Windows and V keys, which poses a security risk, especially when using incognito mode.

Read more
Apple’s Vision Pro is getting the M5 chip, but that’s not what it really needs
Two people talk while one wears an Apple Vision Pro headset. Their eyes are visible through the device using the EyeSight feature.

We’ve not yet seen the full rollout of Apple’s M4 chip family -- the M4 Ultra is still yet to make an appearance -- but already we’ve just learned that the M5 chip is now in production. That means it’ll probably arrive in Macs either late this year or early next year.

If you’ve been waiting to buy a new MacBook Pro, that could mean 2026 is the year to finally pull the trigger. After all, Apple is expected to fully redesign its flagship laptop for next year’s release, and if that coincides with a powerful new M5 chip, all the better.

Read more
This Acer Predator gaming PC with RTX 4070 Ti Super is $350 off
The side profile of the Acer Predator Orion 5000 gaming PC.

You should be careful if you're thinking about upgrading with gaming PC deals, as not all machines are worth your hard-earned money. Here's one that we highly recommend: the Acer Predator Orion 5000 at $350 off from Best Buy, which brings its price down to $1,750 from $2,100. It's still not what you'd call affordable after that discount, but this is the type of machine that you will never regret buying. You're going to want to complete your transaction for it as soon as possible though, as there's no telling when the offer expires.

Why you should buy the Acer Predator Orion 5000 gaming PC
The Acer Predator Orion 5000 challenges the best gaming PCs with specifications that will let you play the best PC games at their most demanding settings. It's powered by the 14th-generation Intel Core i7 processor and the Nvidia GeForce RTX 4070 Ti Super graphics card, along with 32GB of RAM that our guide on how much RAM do you need says is the sweet spot for high-end gamers. The gaming desktop also comes with Windows 11 Home pre-loaded in its 2TB SSD, which will provide enough storage space for multiple AAA titles with all their necessary updates and optional add-ons.

Read more