In news that will likely come as a surprise to no one given the never-ending proliferation of cyber-attacks over the last decade or so, hackers have found a new and exciting way to turn DVRs, satellite antennas and networking devices against their owners. Apparently all such devices offer an excellent place to do mass tests of stolen login credentials, according to research from Akamai Technologies Inc.
The report also confirms that hackers have apparently spent month at a time using millions of “smart” devices to see if stolen passwords are usable on more than one site. There is even a name for this type of hacking: “credential stuffing campaigns.”
“Once malicious users access the web administration console of these devices they can then compromise the device’s data and in some cases, take over the machine,” Akamai researchers wrote in their report. They noted that the vulnerability isn’t new but has resurfaced with the proliferation of connected devices and said they are working with some of the biggest device vendors on “a proposed plan of mitigation.”
The quick list of affected devices includes those of Ruckus Wireless, a Wi-Fi hot spot maker owned by Brocade Communications Systems Inc. of San Jose, Calif. Ruckus has reportedly attempted to address the issue over the last several years — but according to Akamai, it has not succeeded as of yet.
The news comes amid concerns that weaknesses in the factory settings of connected devices give hackers an easy tool by which to access websites illegally. Akamai’s research showed smart devices could be manipulated using secure shell protocol, better known as SSH. Most computers use this standard to handle login requests, even from devices outside a network firewall. Akamai said it noted the issue when it saw thousands of login requests suddenly start pouring in to customer sites. Akamai deduced that hackers were mass testing passwords for consumers to see which ones worked and could be resold as part of a credentials packet.