THE THREAT WRANGLERS AT Akamai have come up with something new for us to worry about, except that it isn't so much new as a decade old.
An OpenSSH vulnerability is being used to fuel distributed denial-of-service (DDoS) attacks on the bloody Internet of Things (IoT).
DDoS attacks are a constant pain, but attacks on the IoT are relatively new. A combination of the two would be a problem, unless you are the kind of company that makes its business discovering this kind of thing.
"Researchers at Akamai have been monitoring the growth of attacks leveraging IoT devices," said Eric Kobrin, director of adversarial resilience at Akamai, in a blog post about the SSHowDowN Proxy.
"These attacks are coming from compromised devices of various sorts. Akamai works hard to protect our customers and users from these attacks. With other, non-IoT types of device (including general purpose computers), owners can patch or reconfigure their systems to close vulnerabilities.
"In the IoT, device owners are often at the mercy of vendor updates to remove their devices from the pool of botnet nodes. In some cases, IoT devices are entirely unpatchable and will remain vulnerable until removed from service."
This sounds really bad. No-one wants to take their connected fridge and throw it out of the window. They are very heavy, for one thing, and they cost quite a bit.
Likewise, no-one will want to drop the IoT from their network just because a 10-year-old problem is still a problem. Or are they? Or indeed should they?
"We're entering a very interesting time when it comes to DDoS and other web attacks. ‘The Internet of Unpatchable Things' so to speak," said Ory Segal, senior director for threat research at Akamai.
"New devices are being shipped from the factory with this vulnerability exposed and without any effective way to fix it. We've been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality."
Akamai's DDoS threat information has some advice for concerned punters that starts with changing any default or admin passwords. If that is news to you, you may want to read the whole list. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe