Researchers warn that millions of devices such as Internet routers, IP cameras and modems are vulnerable because they use the same encryption keys. Attackers can therefore perform man-in-the-middle attacks and eavesdropping and decrypt encrypted traffic.
Therefore might enter sensitive information into the wrong hands. The problem is with so-called embedded devices, including routers, modems, IP cameras and VoIP phones. Researchers from security firm
SEC Consult watched for their research firmware more than 4,000 such devices from more than 70 manufacturers.
They mainly looked at cryptographic keys in firmware, such as public keys, private keys and certificates. It mainly involves keys that are used to connect through SSH and X.509 certificates used for HTTPS. In total, were found more than 580 unique private keys in the 4,000 studied devices.
This information was then correlated with data from large-scale Internet scans. It emerged that the dataset with the 580 unique keys contains the private keys of 9% of the HTTPS web hosts and the private keys of more than 6% of all SSH hosts.At least 230 of the 580 keys were actively used and seen by millions of hosts.
The keys are added by manufacturers to provide connection via HTTPS and SSH. The problem is that all devices with the appropriate firmware using the same keys. It was remarkable that the same keys were found in the products of different manufacturers. For example, a certificate of Broadcom were found on the Internet at more than 480,000 units, including Linksys and ZyXEL. The problem also arises in Cisco, Huawei, Ubiquiti Networks and other vendors. The devices are especially vulnerable in the United States (26.3%) and Mexico (16.5%).
SolutionSEC Consult has worked with the CERT Coordination Center (
CERT / CC) at Carnegie Mellon University to warn the manufacturers involved and browser developers. Meanwhile, some parties have released updates. Manufacturers also are advised to use unique cryptographic keys for each device. In addition, Internet service providers to ensure that remote access over the WAN port to the equipment of their subscribers is not possible. Finally end users are advised to generic SSH keys and X.509 certificates on their devices to replace unique versions. However, the CERT / CC states that in many cases, there is no practical solution is available.