Akamai has a report out this morning detailing yet another attack vector it is seeing out there, and it's one that may bring a dose of reality to the Internet of Things. Since the term itself was coined, there have been cautions that security would be a big IoT issue. But nevertheless that threat was below the horizon still, and thus still ignorable.
But Akamai security gurus Ory Segal and Ezra Caltum say they have identified recent attacks that use a range of IoT devices to remotely generate attack traffic. It's not even a new vulnerability, but the use of a 12 year old weakness in OpenSSH combined with the tendency to keep default configurations. Various CCTV, DVR, NVR, satellite antenna equipment, modem, router, and NAS devices, and others are apparently vulnerable out of the box.
Yet the scary thing is not really that the IoT might be vulnerable, we knew that. The devices may be new, but the underlying software they run actually isn't. But that despite the potential, most of these devices don't have a path by which a fix can be applied. Upgrading the firmware or tweaking the security settings on a router or any such device is doable for the technically-minded, but it's a manual process -- we're not talking about Windows Update here. If it's not automated, in the IoT with its posited billions of devices it just won't happen.
Segal calls it 'The Internet of Unpatchable Things'. That is going to have to change mighty quick.
For its part, Level 3 said this morning that more needs to be done promoting cybersecurity careers. Seems like a no-brainer to me too.