Slashdot Mirror

← Back to Stories (view on slashdot.org)

Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk

Posted by timothy on from the vewy-vewy-quiet dept.

alphadogg (971356) writes A setup mistake has apparently left hundreds of thousands of home routers running the SSH (Secure Shell) remote access tool with identical private and public keys. John Matherly, founder of a specialized search engine company whose technology is used for querying Internet-connected devices, found more than 250,000 devices that appear to be deployed by Telefónica de España sharing the same public SSH key. A different search found another 150,000 devices, mostly in China and Taiwan, that have the same problem. Matherly said in a phone interview on Wednesday it is possible the manufacturers copied the same operating system image to all of the routers.

4 of 114 comments (clear)

  1. No surprise... by jasno · · Score: 5, Informative

    Most embedded guys are batting out of their league and don't have a clue when it comes to security... and I say that as an embedded guy who often has to do exactly that to get the product out.

    Most embedded development I've done is far from 'software engineering' - it's whack and hack until the tests pass(often because you loosened the testing requirements).

    --

    http://www.masturbateforpeace.com/
    1. Re:No surprise... by internerdj · · Score: 3, Informative

      My first job was a contract to a network equipment manufacture. I spent most of my time in their hardware division. At least for that particular company, hiring was based entirely about making hardware. Lots of electrical engineers, a few structural guys to do placement, software engineers were only for the network management division. A lot of the guys who were tasked with writing the embedded stuff were out of their league to write code period, but project management was so physical engineering heavy that they didn't understand what was going wrong. So yeah, I've seen the same thing.

  2. FTFY by Anonymous Coward · · Score: 2, Informative

    John Matherly, founder of a specialized search engine company whose technology is used for querying Internet-connected devices

    Translation -

    John Matherly, founder of a company who randomly portscanned over 350,000 internet-connected devices whithout their user's consect, for the sole purpose of enriching his company's bottom line.

  3. UL (Underwriters) is a private, for-profit company by raymorris · · Score: 4, Informative

    Most electrical equipment mass-marketed in the US is tested by UL (Underwriters Laboratories). Many consumers and most large purchasers recognize the UL mark as indicating a degree of safety. Contracts can specify that products an components meet various UL standards. That's why your router's power suppy wall-wart probably has the UL mark, and doesn't generally catch fire.

    The "Gubmint" doesn't force UL certification or listing, purchasers choose UL listed products. There's no "billions of lobbying dollars", in fact companies PAY to have their products tested, because if they are recognized by UL they don't sell nearly as well. Not only do individual consumers recognize the UL logo, but purchasing agents for Walmart and Target know they'd rather buy and sell UL tested products, so if you want Walmart to order 500,000 fire safes from you, you better have UL test it.

    So no, it doesn't have anything to do with "gubmint" or "lobbying" - UL or another organization could check the firmware in the router just like they already check the power supply circuit.