Study: Reused HTTPS Certificates & SSH Keys Put Millions of Devices at Risk | Hacked: Hacking Finance
user

Study: Reused HTTPS Certificates & SSH Keys Put Millions of Devices at Risk

Introduction

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.


LATEST POSTS

Total Coverage 22nd August, 2017

ChronoPay Looks to Kickstart Bitcoin Adoption in Russia 29th May, 2017

Cybersecurity

Study: Reused HTTPS Certificates & SSH Keys Put Millions of Devices at Risk

Posted on .
This article was posted on Friday, 19:30, UTC.

A recent study by an independent security firm analyzing over 4000 embedded devices such as routers, modems, IP cameras, VoIP phones and IPs reveal an industry-wide practice of sharing the same HTTPS server certificates and Secure Shell Host (SSH) keys.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

According to a study conducted by researchers at security firm SEC Consult, vast swathes of shared HTTPS certificates and SSH keys could potentially allow malicious attackers to snoop in and listen in to encrypted traffic accessed by millions of devices and its users.

Studying the firmware in over 4000 embedded devices across 70 vendors, the researchers specifically looked into cryptographic keys. These keys include public and private keys along with certificates, among the firmware images. In a blog post, the researchers noted the most common use of such static keys. They are:

  • SSL Host Keys (essentially keys needed to operate an SSH server)
  • 509 certificates used for HTTPS connections.

The researchers uncovered more than 580 unique private keys in total among all the devices studied. The matching certificates were then found by correlating the keys from publicly available scans on the internet. The researchers’ discoveries include:

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //
  • Private keys of over 9% of all HTTPS hosts on the web. (150 certificates, used by 3.2 million hosts)
  • Private keys of over 6% of all SSH hosts on the web (80 SSH host keys, used by 0.9 million hosts)

That’s at least 230 keys actively in use by over 4 million devices.

Static Keys

Static keys that are potentially vulnerable are embedded or, as the researchers note ‘baked in’ to the firmware image. These keys are predominantly used to provide HTTPS and SSH access to the device. As it turns out, all devices using the firmware also use the same keys.

When manipulated, an attacker could potentially steal a device’s SSH private key before intercepting a server and trick the end-user to communicate to the malicious end of the connection.

Also read: UK Set to Ban Internet Companies from Providing Total Encryption to Its Users

Another discovery by the researcher sees a large number of Seagate devices on the web. To their surprise, the researchers discovered about 80,000 Seagate GoFlex home NAS devices from their findings to expose HTTPS certificates and SSH keys.

Other findings include a large number of ISPs equipping millions of end-users with vulnerable consumer premises equipment (CPE) such as routers and modems.

For instance, CenturyLink, a US-based ISP is seen to expose HTTPS remote administration on over half a million devices, or nearly 10 percent of their total subscriber base of 6.1 million.

The Outcome of the Findings

The researchers note about 50 vendors and over 900 of their products – from their study alone – to be vulnerable. The affected vendors include the likes of Cisco, Linksys, Motorola, NETGEAR, Seagate, Vodafone and Western Digital, just to name a few.

The research team also note that they have reached out to affected device vendors and some of them have responded while starting to work on the necessary fixes.

As a solution, the researchers from SEC Consult highlight the need better security measures. An immediate first step would include vendors ensuring their devices use unique and random cryptographic keys. Keys that can be computed in on first boot or during the production run. For CPE devices, they recommend a coming-together of the vendor and the ISP to provide fixed firmware for already affected devices.

A complete record of the researchers’ discovery and findings can be read here.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Samburaj Das

Samburaj Das

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.

There are no comments.

View Comments (0) ...
Navigation
The team:
Dmitriy Lavrov
Analyst
Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
Jonas Borchgrevink
Founder
Jonas Borchgrevink is the founder of Hacked.com and CryptoCoinsNews.com. He is a serial entrepreneur, trader and investor. He shares his own personal journey on Hacked.com. // -- Discuss and ask Read More
Mate Csar
Analyst
Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
Mati Greenspan
Analyst
Senior Market Analyst at Etoro.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
Rakesh Upadhyay
Analyst
Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
Pamela Meropiali
Account Manager
Pamela Meropiali is responsible for users on Hacked.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
Joseph Young
Journalist
Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
Nightline's Ted Koppel did something pretty interesting lately: sat down…