Millions of embedded devices use the same hard-coded SSH and TLS private keys
According to “computerworlduk”, thousands of routers, modems, IP cameras, VoIP phones and other embedded devices share the same hard-coded SSH (Secure Shell) host keys or HTTPS (HTTP Secure) server certificates, a study found.
By extracting those keys, hackers can potentially launch man-in-the-middle attacks to intercept and decrypt traffic between users and millions of devices.
Researchers from security firm SEC Consult analyzed firmware images for over 4,000 models of embedded devices from more than 70 manufacturers. In them they found over 580 unique private keys for SSH and HTTPS, many of them shared between multiple devices from the same vendor or even from different ones.
When correlating those 580 keys with data from public Internet scans, they found that at least 230 keys are actively used by over 4 million Internet-connected devices. Around 150 of the HTTPS server certificates they recovered are used by 3.2 million devices and 80 of the SSH host keys are used by 900,000 devices.
The remaining keys might be used by many other devices that cannot be accessed from the Internet, but are still vulnerable to man-in-the-middle attacks inside their respective local area networks.
"Vendors should make sure that each device uses random, unique cryptographic keys," the researchers said. "These can be computed in the factory or on first boot."
Where possible, users should change the SSH host keys and HTTPS certificates on their devices. Unfortunately, this requires technical knowledge beyond that of an average home user and is, in many cases, impossible, especially on devices that have been locked down by ISPs.