Catch-22: Uncovering Compromised Hosts using SSH Public Keys
Cristian Munteanu
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · Network Security 1: Censorship, Evasion, and Trustworthy Infrastructure
In the realm of cybersecurity, the Secure Shell (SSH) protocol stands as a cornerstone for secure remote access and administration. However, its widespread adoption across over 40 million machines globally also makes it an attractive target for malicious actors seeking persistent access and control. This talk, "Catch-22: Uncovering Compromised Hosts using SSH Public Keys," presented by Cristian Munteanu, delves into an ingenious method for identifying compromised SSH servers by leveraging a subtle, yet critical, design feature of the SSH authentication handshake.
AI review
Clever use of a known SSH protocol quirk — the server-side key-presence oracle — scaled to internet-wide scanning with real malicious key feeds and a functioning notification pipeline. Solid applied research with measurable real-world impact, but the core protocol observation isn't new (the GitHub enumeration post from 2017 is literally cited), and the engineering lift is incremental rather than breakthrough.