Re-Using Same Encryption Keys
- SSH host keys
- X.509 HTTPS certificates
SSH host keys verify the identity of a device that runs an SSH server using a public-private key pair. If an attacker steals the device’s SSH host private key, he/she can impersonate the device and trick the victim’s computer to talk to his computer instead.
Also Read: SSL Encryption — Securing Internet of Things (IoT)
MILLIONS of Devices Open to Attacks
Moreover, the researchers recovered around 150 HTTPS server certificates that are used by 3.2 Million devices, along with 80 SSH host keys that are used by at least 900,000 devices.
Also Read: Most Vulnerable Smart Cities to Cyber Attack on Internet of Things (IoT).
Where Does the actual Problem Reside?
- Insecure default configurations by vendors
- Automatic port forwarding via UPnP
- Provisioning by ISPs that configure their subscribers’ devices for remote management
“The source of the keys is an interesting aspect. Some keys are only found in one product or several products in the same product line. In other cases we found the same keys in products from various vendors,” Sec Consult wrote in its blog post.
List of Vendors that are Re-Using Encryption Keys
Although SEC Consult identified more than 900 vulnerable products from roughly 50 manufacturers, the actual number could be even higher considering that its study only targeted firmware the company had access to.
Also Read: How Drones Can Find and Hack Internet-of-Things Devices From the Sky.
ADB, AMX, Actiontec, Adtran, Alcatel-Lucent, Alpha Networks, Aruba Networks, Aztech, Bewan, Busch-Jaeger, CTC Union, Cisco, Clear, Comtrend, D-Link, Deutsche Telekom, DrayTek, Edimax, General Electric (GE), Green Packet, Huawei, Infomark, Innatech, Linksys, Motorola, Moxa, NETGEAR, NetComm Wireless, ONT, Observa Telecom, Opengear, Pace, Philips, Pirelli , Robustel, Sagemcom, Seagate, Seowon Intech, Sierra Wireless, Smart RG, TP-LINK, TRENDnet, Technicolor, Tenda, Totolink, unify, UPVEL, Ubee Interactive, Ubiquiti Networks, Vodafone, Western Digital, ZTE, Zhone and ZyXEL.
Most Affected Countries
- United States
- Russian Federation
- United Kingdom