SEC Consult experts have revealed that there is a 40% rise of internet-connected devices such as routers and gateways, that share private cryptographic keys and certificates in unsafe ways.
Millions Devices Share Sensitive Cryptographic Keys in Unsafe Ways
The researchers from the security vendor SEC Consult have released their report titled House of Keys which takes an overview of the problem. According to their study, there is a sharp increase in the number of devices using publicly known cryptographic keys for HTTPS server certificates. This is a serious issue as this practice allows criminal users to initiate man in the middle attacks against the target hosts.
The report reveals that over the past nine months the number of such devices has grown from 3.2 million to 4.5 million instances. The researchers indicate that the 40% increase is expected as a few serious problems are revealed. Business and home owners in many cases continue to utilize Internet-connected devices after they have reached the support end of life (EOL). Security vendors also often do not distribute security patches fast enough, or the device owners do not apply them when a serious security issue is reported and/or detected. Another troubling fact shows that embedded systems such as Internet of Things (IoT) appliances and controllers are rarely patched with the latest security updates and firmware versions.
SEC Consult has confirmed that a well-known certificate/private key pairs that have been flagged as unsafe are still in use among users. Various botnets and malware have exploited the weak credentials and used critical vulnerabilities to infect devices across the Web.
The company has teamed with CERT/CC to inform about 50 different vendors and Internet service providers of the results.
SEC Consult has issued the following recommendations for amending the issues:
- Vendors should make sure that each device uses random, unique cryptographic keys. These can be computed in the factory or on first boot. In the case of CPE devices, both the ISP and the vendor have to work together to provide fixed firmware for affected devices.
- ISPs have to make sure remote access via the WAN port to CPEs is not possible. In case the ISP needs access for remote support purposes, setting up a dedicated management VLAN with strict ACLs (no CPE to CPE communication) is recommended.
- End users should change the SSH host keys and X.509 certificates to device-specific ones. This is not always possible as some products do not allow this configuration to be changed or users do not have permissions to do it (frequent in CPE devices). The required technical steps (generating a certificate or RSA/DSA key pair etc.) are not something that can be expected of a regular home user.
You can view more detailed information on their blog.