In a previous post, I wrote about attackers using default passwords in FTP and Telnet to compromise devices (especially IoT ones such as cameras). The compromised devices were then used to attack other devices on the Internet. I suggested users change passwords on the devices where possible but acknowledged that some were not changeable. I chided manufacturers for using easy-to-guess or easy-to-discover passwords that couldn’t be changed.One way to address the problem would be for the vendors to use SSH(secure shell). For those of you not familiar with the differences, one is that SSH encrypts its traffic and Telnet does not. The difference we are interested in, though, is that ssh has multiple means of authentication.
If we used ssh with passwords, an attacker could still guess common passwords or search memory for passwords. Also, each device of the same make and model has the same password so that discovering one leads to the discovery of all. The argument the vendors make for using telnet and the same password on each device is that they created these account for remotely managing the device: updating software, for instance. Lucky for them, they can do that securely with ssh using an authentication method other than plain passwords.
Perhaps the most common mode for SSH is public key authentication. In this case, the server (e.g. the IoT device) has a public key corresponding to the user’s (the manufacturer’s) private key. Even if the public key were discovered (it is public, after all), attackers would not be able to use it for access unless they knew the corresponding private key. This would mean that they could safely have the same public key on each unit. They could even publish the key.
The implementation is not difficult with the hardware most small routers use. In fact, the third party firmware replacement DD-WRT supports ssh. Not all devices have the hardware and memory small routers do, but the point is that small devices can support ssh.
For uploading files, many use SCP or SFTP with SSH. They are often distributed together. This would allow the use of the same private key for authentication of the file transfer. That’s a win for all with the possible exception of folks who want to tinker with the device firmware where the manufacturer doesn’t provide an alternative way to upload it.
It’s essential to configure systems to log access attempts so that unauthorized access may be detected. CyberSec First Responder (CFR), an ANSI-accredited/DoD approved IT security certification from Logical Operations, validates knowledge for assessing password vulnerability by using ncrack to gain access to a system through SSH and also covers the log setup and analysis.
Additionally, in Learning Tree’s System and Network Security Introduction, we discuss embedded devices, passwords, and SSH/SCP. Course participants also install and use ssh. I hope to see you there.
To your safe computing,