Study: Reused HTTPS Certificates & SSH Keys Put Millions of Devices at Risk
A recent study by an independent security firm analyzing over 4000 embedded devices such as routers, modems, IP cameras, VoIP phones and IPs reveal an industry-wide practice of sharing the same HTTPS server certificates and Secure Shell Host (SSH) keys.
According to a study conducted by researchers at security firm SEC Consult, vast swathes of shared HTTPS certificates and SSH keys could potentially allow malicious attackers to snoop in and listen in to encrypted traffic accessed by millions of devices and its users.
Studying the firmware in over 4000 embedded devices across 70 vendors, the researchers specifically looked into cryptographic keys. These keys include public and private keys along with certificates, among the firmware images. In a blog post, the researchers noted the most common use of such static keys. They are:
- SSL Host Keys (essentially keys needed to operate an SSH server)
- 509 certificates used for HTTPS connections.
The researchers uncovered more than 580 unique private keys in total among all the devices studied. The matching certificates were then found by correlating the keys from publicly available scans on the internet. The researchers’ discoveries include:
- Private keys of over 9% of all HTTPS hosts on the web. (150 certificates, used by 3.2 million hosts)
- Private keys of over 6% of all SSH hosts on the web (80 SSH host keys, used by 0.9 million hosts)
That’s at least 230 keys actively in use by over 4 million devices.
Static keys that are potentially vulnerable are embedded or, as the researchers note ‘baked in’ to the firmware image. These keys are predominantly used to provide HTTPS and SSH access to the device. As it turns out, all devices using the firmware also use the same keys.
When manipulated, an attacker could potentially steal a device’s SSH private key before intercepting a server and trick the end-user to communicate to the malicious end of the connection.
Another discovery by the researcher sees a large number of Seagate devices on the web. To their surprise, the researchers discovered about 80,000 Seagate GoFlex home NAS devices from their findings to expose HTTPS certificates and SSH keys.
Other findings include a large number of ISPs equipping millions of end-users with vulnerable consumer premises equipment (CPE) such as routers and modems.
For instance, CenturyLink, a US-based ISP is seen to expose HTTPS remote administration on over half a million devices, or nearly 10 percent of their total subscriber base of 6.1 million.
The Outcome of the Findings
The researchers note about 50 vendors and over 900 of their products – from their study alone – to be vulnerable. The affected vendors include the likes of Cisco, Linksys, Motorola, NETGEAR, Seagate, Vodafone and Western Digital, just to name a few.
The research team also note that they have reached out to affected device vendors and some of them have responded while starting to work on the necessary fixes.
As a solution, the researchers from SEC Consult highlight the need better security measures. An immediate first step would include vendors ensuring their devices use unique and random cryptographic keys. Keys that can be computed in on first boot or during the production run. For CPE devices, they recommend a coming-together of the vendor and the ISP to provide fixed firmware for already affected devices.
A complete record of the researchers’ discovery and findings can be read here.
Featured image from Shutterstock.