Skip to main content

Hackers use SSH to control connected devices for brute-force attacks

Content delivery network service provider Akamai Technologies released a new report on Wednesday (PDF) stating that hackers are taking advantage of a 12-year-old vulnerability in OpenSSH to gain control of internet-connected devices for mass-scale attack campaigns. The company dubs these attacks as “SSHowDowN Proxy,” which for now seem focused on using video surveillance devices, satellite antenna equipment, network devices, and internet-connected network-attached storage units.

According to the company, these compromised devices are used as proxies to attack a number of internet-based targets and “internet-facing” services, as well as the internal networks that host them. Hackers are actually gaining control of the devices by accessing their low-level command line console that still relies on the factory-shipped default login credentials provided by the vendor.

Recommended Videos

SSH stands for Secure Shell, and is a cryptographic network protocol that provides a secure channel, enabling services like remotely accessing a desktop residing on a home network from a public Wi-Fi access point. This protects data like usernames and passwords as the information travels across the internet. But this protocol isn’t completely secure, and Edward Snowden even indicated that the NSA could decrypt some SSH traffic.

Akamai began its investigation after it noticed active malicious HTTP/HTTPS traffic stemming from a third-party Network Video Recorder device targeting customer accounts. After determining that there were no unauthorized users accessing its network, the company then listed the device’s live network connections and their associated process IDs. The results showed that someone was running SSH connections using the default “admin” credentials provided by the manufacturer.

The thing is, the admin/admin credentials, by default, only allows web-based access to the machine, and does not provide SSH-level access. Whoever accessed the NVR machine took advantage of several SSH options to get past the default credential restriction. After that, the hacker set up the device as a proxy server, which establishes a TCP connection to a legitimate server from a remote client. Thus, any attack on a network would appear to stem from the NVR machine itself.

With all of this in mind, the company turned to other internet-connected devices to see if they have the same problem. In addition to the group of devices listed above, the company also saw that many units had additional weak points where a hacker wouldn’t need credentials at all to gain access to the device. For instance, one popular router has a “root” privileged user account while a common wireless hot spot doesn’t require a password for SSH connections.

As previously stated, the capability of this attack isn’t just internet-based. SSHowDowN Proxy could be used internally on a home or office network too.

“We managed to confirm and validate the feasibility of this severe abuse-case in our lab environment, and believe that malicious users are and will continue to actively exploiting this to penetrate private networks.”

So what are hackers actually doing with these devices? In the case of Akamai Technologies, they’re trying to break into customer accounts by way of a “credential stuffing” attack. They have gained access to username/password pairs and are automatically injecting the information via brute force at the account login page.

Although the report focuses on Akamai customers, the problem extends beyond the company’s user base. Akamai suggests that consumers change the default credentials of their internet-connected devices, and to make specific changes if the device offers direct file system access. Consumers are also suggested to disable SSH if the feature is not required.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Upgrade to this Alienware 4K QD-OLED gaming monitor while it’s $300 off
Cyberpunk 2077 being played on the Alienware 32 QD-OLED.

The powerful machine you purchased from gaming PC deals should be paired with a premium display, and the 32-inch Alienware 4K QD-OLED gaming monitor comes with our stamp of approval. It's also on sale from Dell right now, with a $300 discount slashing its price from $1,200 to only $900. That's a steal when you consider the capabilities of this screen, so you're going to have to hurry with your purchase as stocks may run out at any moment.

Why you should buy the 32-inch Alienware 4K QD-OLED gaming monitor

Read more
Living without antivirus? Grab Avast Premium while it’s 70% off
A couple on a couch using a tablet.

I've been using the free version of Avast antivirus software for well over a decade now. It's always among the first batch of downloads I grab when I get a new laptop. Our reviewers even gave Avast One for Mac a 9 out of 10 review. But this week, Avast has a compelling offer that will convince freeloaders like me to get the paid version of Avast.

Right now, Avast Premium has an incredible 70% discount. That drops the price of one device from $80 per year to $23.40, or just under $2 per month. If you want to cover 10 devices, the price is only slightly higher, at $30 per year, or $2.50 per month. If you've been using the free version of Avast for a while, or you haven't been using antivirus software at all, this is a deal you need to check out.

Read more
Why macOS Tahoe is a big deal for Intel Macs
Apple unveiling macOS Tahoe at WWDC 2025.

Apple’s WWDC event kicked off on Monday with the usual slew of fresh announcements and updates showcasing the company’s software plans for the year ahead.

And as with every WWDC keynote, the upcoming shift to new software also signaled diminishing support for older Apple devices.

Read more