Slashdot Mirror
Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk
alphadogg (971356) writes A setup mistake has apparently left hundreds of thousands of home routers running the SSH (Secure Shell) remote access tool with identical private and public keys. John Matherly, founder of a specialized search engine company whose technology is used for querying Internet-connected devices, found more than 250,000 devices that appear to be deployed by Telefónica de España sharing the same public SSH key. A different search found another 150,000 devices, mostly in China and Taiwan, that have the same problem. Matherly said in a phone interview on Wednesday it is possible the manufacturers copied the same operating system image to all of the routers.
Most embedded guys are batting out of their league and don't have a clue when it comes to security... and I say that as an embedded guy who often has to do exactly that to get the product out.
Most embedded development I've done is far from 'software engineering' - it's whack and hack until the tests pass(often because you loosened the testing requirements).
http://www.masturbateforpeace.com/
Isn't TFS supposed to explain what it's talking about?
1. Why does a router have public-facing SSH? The reason to use SSH on your router is to configure it, over a wired connection from your PC, innit?
2. Why does a router come with SSH keys already installed? Don't you generate your own SSH keys?
John Matherly, founder of a specialized search engine company whose technology is used for querying Internet-connected devices
Translation -
John Matherly, founder of a company who randomly portscanned over 350,000 internet-connected devices whithout their user's consect, for the sole purpose of enriching his company's bottom line.
This is the fingerprint, not the root user's key.
Do the majority of users ever log into their device via ssh? So if everyone has the key you can decrypt other people's traffic, but the leaked keys in question probably don't allow for login.
Not a great idea for the keys to be the same, but not really a security risk if ssh is never used. Now, the fact that there is an ssh port open to the world without the end user setting it up, that could be a problem.
Often, the exact same problem happens when people clone/copy virtual machines, although the scope of security risk is obviously less in this case.
Ideally, newly copied virtual machines should be assigned new SSH host keys.
...when the router comes out of the box it was shipped in, is power it up with the only network connection being a wired from port 1 to a pc, through which the router is locked to accept administrator connections from the currently conencted IP and machine ID ONLY (and the IP reserved for that machine), and ONLY via the wired LAN interface - from which point, you then change the wireless SSID and all the passwords FROM the defaults, and all that before you even physically connect it to the WAN cable. That way anything behind your router remains as practically secure as it's possible to get while connected to the Internet. Major problems such as that computer becoming permanently disabled are an easy fix, just perform a WAN-disconnected factory reset of the router and reconfigure it for another machine.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
It does concern ssh-keys, disk-encryption keys, etc. If the people doing this do not understand how encryption works, or are botching initial entropy gathering, the same or pretty close keys can end up on a lot of deployed devices.
In general, this has to do with developer inexperience and (for older ones) incompetence.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Every geek should be a good netNeighbor or netRelative and suggest or guide anyone we care about or don't wish to be fucked over by .gov/corporations/prick wardriving kids and suggest something along the lines of DD WRT or TomatoUSB on their routers that may be ripe targets...maybe even offer to help them secure them, I'm getting pissed at all this crap that is going to get all of them and us reamed. I also like the idea of sticking it to all the evil and/or stupid bastards that let this stuff happen. I let an elderly neighbor of mine know a few months ago by naming my SSID something that might alert their kids or whomever is their "IT expert" (who happened to her daughter) to email a disposable account I set up so I could explain what was up and I spent 20 minutes getting it going for them. I told her to let me know if it needed any fixing with another one-time email anytime remotely. But really, Toastman's TomatoUSB is very stable and needs hardly any tweaking or fixing...probably less than stock firmware. Especially for the crappy Cisco FW that was on it - disaster waiting to happen. They are even on 5ghz N band now, the only other one than me (I'm on both 2.4 & 5). PS InSSIDer is a great wireless app.
We all know costs matter and security is not worth the investment in many companies mindset. Router firmware has always been a weak link for so many reasons. Its now become a viable access point of breech only because more and more routers have been implemented. I have no doubt most consumers have no clue about updating firmware or how the settings of a router affect security or function. Consumers basically want Plug N Play for everything tech. Its why we are seeing software and operating systems updating on their own, security scanning in the background and a general consensus of not leaving it up to the end user to do much of anything. So when the hardware makers screw up, then who is it that will fix it?
In the meantime, I can't even get my Canon wi-fi printer to connect to my router, but some script kiddy can see all my porn.
What the hell is wrong with software these days?
Most electrical equipment mass-marketed in the US is tested by UL (Underwriters Laboratories). Many consumers and most large purchasers recognize the UL mark as indicating a degree of safety. Contracts can specify that products an components meet various UL standards. That's why your router's power suppy wall-wart probably has the UL mark, and doesn't generally catch fire.
The "Gubmint" doesn't force UL certification or listing, purchasers choose UL listed products. There's no "billions of lobbying dollars", in fact companies PAY to have their products tested, because if they are recognized by UL they don't sell nearly as well. Not only do individual consumers recognize the UL logo, but purchasing agents for Walmart and Target know they'd rather buy and sell UL tested products, so if you want Walmart to order 500,000 fire safes from you, you better have UL test it.
So no, it doesn't have anything to do with "gubmint" or "lobbying" - UL or another organization could check the firmware in the router just like they already check the power supply circuit.
There are already programs in place. One example, NIST certifies private security testing laboratories to test according to FIPS standards. It just nobody asking for certified products outside of the government procurement.
By the router's firewall? Why is SSH enabled to begin with?
OK, this is clearly a bad thing, but I don't think it means that your private LAN is immediately accessible to people all over the world does it? Multiple routers using the same keys means you could be tricked into logging in to someone else's router without knowing, but that would still require some way of directing your traffic to the imposter's device to begin with, such as DNS hijacking.
Knowing someone's keys would also allow you to encrypt/decrypt traffic as that device, facilitating a man-in-the-middle attack, but still, you need a way to get in the middle between two devices. This is not something that's trivial to do from one arbitrary location to another.
I'm not suggesting this isn't a serious problem, but I don't think it's as bad as, say, remote administration being enabled with a known default password.
Kinda Apples and Oranges. UL testing is fairly straight-forward. The quick explanation - they stress the device in various ways and see if it catches on fire. Checking a crypto setup to a reasonable level of satisfaction can't be done externally. The code for the entire system must be examined, and that is relatively difficult to do.
-Matt
After the recent crypto fiasco, a NIST certification might be seen as a mark of shame.
> Back then you could justify the increased costs associated with getting the UL stamp of approval as a benefit to the consumer's safety.
> Today, if you tried this, you'd get absolutely buried.
That "sounds good", especially if it plays well with your personal political feelings. However, go pick ten random electrical products at your local big box store. Notice that at least nine, if not all ten, do in fact have the UL mark. The actual fact is that today almost all manufacturers do indeed "justify the increased costs associated with getting the UL stamp of approval". You can be surprised that they do, but you can see with your own eyes that they do. If that doesn't fit your current ideas, your ideas must be mistaken.
Ever so often I check to see whats running on computers that attempt to connect my home router. This ip address http://141.212.121.200/ was from The University of Michigan.
in fact companies PAY to have their products tested, because if they are recognized by UL they don't sell nearly as well
So they're paying to sell less?
I first ensure the wrt is openwrt compliant. Then the 1st thing I do after purchase is installing openwrt.
Slashdot, fix the reply notifications... You won't get away with it...
The last 3 DSL routers I've had in 8 years from Telefonica all came with remote access (WAN side) enabled, albeit from a certain IP range only. I close that down as soon as I get the new router but needless to say most people won't know how to do it or actually even care.
Apparently my post was not tested for typos.
This is exactly the kind of thing that will happen with the Internet of Things if that term still exists in a few years. Billions of devices connected to the internet, designed by amateurs with no security in mind.
Not only do individual consumers recognize the UL logo, but purchasing agents for Walmart and Target know they'd rather buy and sell UL tested products, so if you want Walmart to order 500,000 fire safes from you, you better have UL test it.
So no, it doesn't have anything to do with "gubmint" or "lobbying" - UL or another organization could check the firmware in the router just like they already check the power supply circuit.
You're assuming perfect certification and a lack of counterfeiting. The running joke at the moment is that CE stands for Chinese Engineering rather than being the European equivalent of UL. We see products in Australia a lot carrying both the UL and CE logos, because frankly the same products are sold all over the world. It quickly becomes apparent when dismantling them that either the certification is fake or that the certification isn't worth the paper it's printed on. In fact early last year if I recall someone was fatally electrocuted by an after market mobile phone charger which among other things carried the UL and CE markings. Chinese made of course.
I too have bought a 2A charger from fleabay that had a UL marking on it. I caught it early enough but when I was pulling about 0.8A it got hot enough that I was afraid it may burn my house down, and into the bin it went.
I've also seen a water filter with a TUV certificate claiming it removes 100% of everything down to a certain size. If anyone has seen such TUV certificates for filtering equipment before, they'll know TUV has never printed 100% on anything.
For a certification scheme like this to work you need perfect certification combined with perfect customs and border control to prevent fakes entering the country. That is a little harder to achieve.
A cheap home router with SSH enabled...
Where can I buy this?
>. You're assuming perfect certification and a lack of counterfeiting
No, I'm pointing out that it's better than NO testing or certification. If 5% of the products are counterfeit, that means 95% aren't. Compare the safety of what's one the shelves at Walmart vs what street vendors sell in Mexico or China. It does in fact work.
> For a certification scheme like this to work you need perfect certification
There's no "would need". UL has been testing products for over a hundred years, so it's not theory. UL certified products do in fact have a much better safety record than untested products. UL LISTED products are in the middle.
You're seeing an agenda where none exists. Yes, most electrical devices found in the home today have the UL mark on them; I never said otherwise. My point is that currently that is inertia from a decades-old system. If you tried to implement a brand new UL-type company TODAY, you would never succeed. Anything that increases costs, even if it adds significant value, is seen as evil and "unnecessary regulation", and therefore to be avoided at all costs. Especially when the value added is something that the average consumer does not and does not care to understand.
Never underestimate the power of stupid people in large groups.
after i "accidentally" got a login/password correct on a home-ip on port 80 i commenced to add a port-forwarding rule for port 80 to ...#NO CARRIER
> . I think you were being generous to my argument about 5% being counterfeit, in the western world it would be lower. But equally low are the number of products we have major security issues with.
Being in this industry, it seems to me that ALL major router manufactures have had multiple major security problems. NONE of them have had major "catch on fire" problems to my recollection. So the assertion that the number of devices with security problems is the same as the number that have fire problems is false in the extreme.
My reply didn't exactly match your comment, but I'd say it's true for counterfeiting too. Pick a random electronic device at a random big-box store. It's probably NOT counterfeit. It probably DOES have lax security.
Even more, I'm talking about testing like UL does. UL focuses primarily on fire safety, and it works - our electronic devices rarely catch fire. Fire safety is a success. Data safety is a miserable failure - I can personally hack most devices.
There are already programs in place. One example, NIST certifies private security testing laboratories to test according to FIPS standards. It just nobody asking for certified products outside of the government procurement.
FIPS 140 certification, which I assume is what you're referring to, is almost worthless in terms of determining how resistant to real-world attack a product really is. It would have done nothing to prevent the problem discussed here. Its main use is as a measure of how desperate a vendor is to get government contracts, which is also why no-one asks for it outside government procurement.
UL listing is important because many businesses will only buy equipment certified by a Nationally Recognized Testing Laboratory (NRTL). UL isn't the only NRTL, here's a list. That market can obviously support more than just UL. I think that if businesses started insisting on certifications for security, the market could support a few security certification labs.
I don't think you know what you're talking about. This would have been caught and prevented if they went for FIPS testing.
"Cryptographic key management (generation, entry, output, storage and destruction of keys)"
Which needs full documentation and testing.
please ignore