CAMBRIDGE, Mass., Oct. 14, 2016 /PRNewswire/ -- Lexumo, developer of the world's first automated service for continuously monitoring Internet of Things (IoT) code for critical open source vulnerabilities, today announced that its cloud-based platform has been constantly protecting customers from the SSHowDowN vulnerability (CVE-2004-1653) – well prior to Akamai's recent announcement.
Akamai reports that hackers are now exploiting the 12-year old OpenSSH vulnerability to mount mass-scale attacks from millions of compromised IoT devices, including routers, cable modems, satellite TV equipment, and IP-connected cameras, DVRs and NAS (Network Attached Storage) devices. The attacks create unauthorized SSH tunnels which are then used to route malicious traffic against victim sites while hiding the attackers' identities. Attackers also use the devices as beachheads to launch internal attacks against corporate networks.
Lexumo uses graph analytics and machine learning developed for DARPA to precisely identify public vulnerabilities such as Heartbleed, Shellshock (Bashdoor), and SSHowDowN in IoT code. The platform also provides detailed instructions for remediating vulnerabilities in order to avoid their exploitation by cyberattackers. The company was recently recognized as an IoT Company to Watch and a Machine Learning Startup to Watch.
"Cyberattackers look for the path of least resistance – and vulnerabilities that have been around for years are a great place to start," said Richard Carback, PhD, co-founder and Chief Architect at Lexumo. "Unlike with zero days, information about public open source vulnerabilities is broadly available via public message boards and email lists. Many IoT devices are particularly vulnerable because they haven't been designed with security in mind, so there's a good chance this type of attacker technique will become significantly more popular in the future. It would seem like a minimum standard of due care for manufacturers to use automation to ensure they're not shipping devices with vulnerabilities like SSHowDowN."
The impact of shipping insecure IoT devices was also illustrated a few weeks ago when cyberattackers exploited vulnerabilities in 1.5 million IoT devices to generate the world's most powerful Distributed Denial of Service (DDoS) attack to date. The unprecedented attack successfully disabled the website of well-known security researcher Brian Krebs. Cyberattackers also leveraged their massive botnet army to launch a separate DDoS attack on European ISP OVH that reached nearly one terabit per second (Tbps).
Brad Gaynor, Lexumo Co-Founder and CTO, will be speaking about these topics at the IoT Security Summit in Boston next week. His talks include Balancing Security and Technology Spending in the Industrial IoT (October 19, 2:40-3:20pm) and The Next Generation of Embedded Security (October 20, 2:40-3:20pm).
Lexumo will also be demonstrating its innovative code security solution in Booth #202, where attendees can meet the company's founders and discuss IoT cybersecurity with Lexumo's experts.
Lexumo secures the world's open source software. Our cloud-based service enables developers to securely adopt the best open source available — so they can ship great products faster. Lexumo uses "Big Code" analytics to precisely identify critical vulnerabilities without the inaccuracies associated with legacy open source software (OSS) governance solutions, even when code has previously been modified or patched.
Built on a massively-scalable, AWS-based cloud stack, Lexumo's service integrates with existing developer workflows (Jenkins, Jira, etc.); provides actionable information in the form of detailed patching instructions; and continuously monitors your code for vulnerabilities without requiring any developer interaction.
For more information, visit https://www.lexumo.com.