Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/6/2016
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cryptographic Key Reuse Remains Widespread In Embedded Products

Nine months after SEC Consult warned about the reuse of private keys and certificates in routers, modems, other products, problem has grown worse.

Nine months after application security services provider SEC Consult warned about widespread reuse of cryptographic credentials in embedded products like Internet routers, gateways and modems, the problem only appears to have gotten worse, not better.

In an alert this week, SEC Consult said the number of web devices with known private keys for HTTPS server certificates has shot up 40 percent from last November when the company first warned about the issue. From 3.2 million devices in November 2015, the number of IPv4 hosts using a known private key now stands at 4.7 million currently.

Along with its alert, SEC Consult this week also released on GitHub a total of 331 HTTPS server certificates along with their matching private keys, that are available to anyone via an Internet scan. The security firm also released a list of products using the publicly available certificates and keys.

The data gives researchers an opportunity to verify SEC Consult’s conclusions and find for themselves more cases of cryptographic key reuse and keys that are attributable to specific products and vendors.

“Releasing the private keys is not something we take lightly as it allows global adversaries to exploit this vulnerability class on a large scale,” SEC Consult said in its alert. “However we think that any determined attacker can repeat our research and get the private keys from publicly available firmware with ease.”

The security implications of cryptographic key reuse is substantial, says Johannes Greil, head of SEC Consult’s vulnerability lab, in comments to Dark Reading. Devices using cryptographic keys that are known publicly, are susceptible to man-in-the-middle attacks including those where an attacker can alter allegedly secure connections without any one noticing.

The big problem here is that vendors of embedded products often leave hardcoded SSH keys and HTTPS server certificates in their devices so as to enable web access to the devices and for use by other protocols such as EAP/802.1X or FTPS, he says.

But since these keys and certificates are the same across multiple products, they are relatively easy to exploit, Greil says.

SEC Consult’s alert follows one from last November when it first drew attention to the problem of widespread certificate and key reuse on the Internet.

In its initial study, SEC Consult analyzed the firmware on more than 4,000 embedded devices from over 70 vendors. The company examined the use of cryptographic public keys, private keys, and certificates in the firmware images of products like routers, modems, and IP cameras and found more than 580 unique private keys distributed across the devices.

The company correlated the data with data from Internet-wide scans using Scans.io and Censys.io and found that about 150 server certificates from its data set were being used by about 3.2 million hosts and another 80 SSH host keys used by nearly 1 million hosts.

Some keys were found in one product or several products in the same product line. In other cases, SEC Consult found the same keys being used in products from multiple vendors, likely as the result of the keys being shared, leaked or even stolen or because the same product was being sold to different brands.

SEC Consult says it has worked with CERT/CC to notify affected device vendors, ISPs and chipset makers of the issue since August 2015.

The fact that the problem remains widespread despite this outreach shows how difficult it is to get vendors to patch their systems. “It's an industry-wide problem. Many vendors are lazy in regards to providing patches for their devices, [which] once sold, [are] never taken care of anymore, he said. “If there are no industry-wide changes and regulations by law, the problem might never go away.”

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
10/10/2016 | 7:21:51 AM
Cyber security
Though encryption is one of the most important data security tool out there at the moment and lies in the category of cryptography but one can not ignore the importance of vpn servers as well. I have been using purevpn server for the past few years and have been thoroughly satisfied with its working as it protects my incoming and outgoing traffic. 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .