Internet of Sins: Million more devices sharing known private keys for HTTPS, SSH admin

Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications.

This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing widely known secrets is continuing unabated.

Devices and gadgets are still sharing private keys for their builtin HTTPS and SSH servers, basically. It is not difficult to extract these keys from the gizmos and use them to eavesdrop on encrypted connections and interfere with the equipment: imagine intercepting a connection to a web-based control panel, decrypting it, and altering the configuration settings on the fly. And because so many models and products are using the same keys, it's possible to attack thousands of boxes at once.

SEC Consult senior security consultant Stefan Viehböck scanned the public internet and found that the practice of using known private keys has increased over the past nine months, with the number of net-accessible vulnerable devices ballooning to more than 4.5 million network appliances, IoT devices, and embedded systems around the world. That's up 40 per cent, or 1.3 million, from November, according to SEC Consult.

While the cause for the issues can vary, SEC Consult has said that the problem can often stem from vendors not bothering to change the settings on their hardware components, in many cases leaving the default keys and certificates in place with software developer kits.

"There are many explanations for this development. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched," SEC Consult said.

"Insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment [CPE]) and the trend of IoT-enabled products are surely a factor as well."

The ultimate solution to the problem, says SEC Consult, will be to force each device to have a unique security key for data transmissions. In most cases, this responsibility will fall on the vendors to step up their security efforts both before and after hardware is released.

Additionally, the researchers recommend that service providers use a VLAN connection when performing remote support on devices, and limit the way a connection can be established with on-premise hardware that ISPs provide customers.

As for the end users who are left most vulnerable by the sloppy security practices, SEC Consult notes that only so much can be done.

"End users should change the SSH host keys and X.509 certificates to device-specific ones," the company recommends.

"This is not always possible, as some products do not allow this configuration to be changed or users do not have permissions to do it (frequent in CPE devices). The required technical steps (generating a certificate or RSA/DSA key pair, etc) are not something that can be expected of a regular home user." ®