Security researchers have uncovered industry-wide reuse of the same cryptographic keys ‘baked’ into the firmware of routers, modems and other embedded devices.
Security firm SEC Consult studied the firmware images of more than 4,000 such devices—including internet gateways, routers, modems, IP cameras, VoIP phones—and found 580 private keys distributed across them.
What’s more, around 230 of these are actively being used on the web, it said in a blog post.
“The reasons vary from shared/leaked/stolen code, white-label devices produced by different vendors (OEM, ODM products) to hardware/chipset/SoC vendor software development kits (SDKs) or board support packages firmware is based on,” the firm added.
“Just by looking at the numbers one can deduce that it is highly unlikely that each device is intentionally exposed on the web (remote management via HTTPS/SSH from WAN IP). Enabling remote management exposes an additional attack surface and enables attackers to exploit vulnerabilities in the device firmware as well as weak credentials set by the user.”
Seagate was singled out for criticism in this regard, with 80,000 Seagate GoFlex NAS devices found on the web “exposing” HTTPS and SSH.
The top three countries in terms of affected hosts were the US (26%), Mexico (16%) and Brazil (8%).
SEC Consult said the security oversight could lead to “impersonation, man-in-the-middle or passive decryption attacks” which might allow attackers to access admin credentials and other information useful for launching further attacks.
“In order to exploit this vulnerability, an attacker has to be in the position to monitor/intercept communication. This is easily feasible when the attacker is located within the same network segment (local network),” the vendor explained.
“Exploiting this vulnerability via the internet is significantly more difficult, as an attacker has to be able to get access to the data that is exchanged. Attack vectors can be BGP hijacking, an "evil ISP", or a global adversary with the capability to monitor internet traffic.”
In total, over 900 products from around 50 vendors were found to be vulnerable.
Sundaram Lakshmanan, VP of technology at CipherCloud, said the research highlights a common problem in tech “where the cryptography underneath is solid but the implementation at scale leaves the gates wide open.”
“This flaw also affects IoT devices, which presents an even bigger problem,” he added.
“Internet-enabled devices have a much smaller footprint and have to store both hardware and software, so authentication and key rotation are harder to implement. At the same time, most of these devices cannot take remote patches, which can create a nightmare scenario when it comes to fixing flaws.”
Photo © Korn