Slashdot Mirror

← Back to Stories (view on slashdot.org)

Duplicate SSH Keys Put Tens of Thousands of Home Routers At Risk

Posted by timothy on from the vewy-vewy-quiet dept.

alphadogg (971356) writes A setup mistake has apparently left hundreds of thousands of home routers running the SSH (Secure Shell) remote access tool with identical private and public keys. John Matherly, founder of a specialized search engine company whose technology is used for querying Internet-connected devices, found more than 250,000 devices that appear to be deployed by Telefónica de España sharing the same public SSH key. A different search found another 150,000 devices, mostly in China and Taiwan, that have the same problem. Matherly said in a phone interview on Wednesday it is possible the manufacturers copied the same operating system image to all of the routers.

8 of 114 comments (clear)

  1. No surprise... by jasno · · Score: 5, Informative

    Most embedded guys are batting out of their league and don't have a clue when it comes to security... and I say that as an embedded guy who often has to do exactly that to get the product out.

    Most embedded development I've done is far from 'software engineering' - it's whack and hack until the tests pass(often because you loosened the testing requirements).

    --

    http://www.masturbateforpeace.com/
    1. Re:No surprise... by sinij · · Score: 5, Insightful

      Government already demands product certification (e.g. FIPS), it is time corporate and individual consumers started doing the same. We expect our power supplies to not electrocute us, there is a certification program to ensure that is the case, why is when it comes to data security we are so lax?

    2. Re:No surprise... by internerdj · · Score: 3, Informative

      My first job was a contract to a network equipment manufacture. I spent most of my time in their hardware division. At least for that particular company, hiring was based entirely about making hardware. Lots of electrical engineers, a few structural guys to do placement, software engineers were only for the network management division. A lot of the guys who were tasked with writing the embedded stuff were out of their league to write code period, but project management was so physical engineering heavy that they didn't understand what was going wrong. So yeah, I've seen the same thing.

    3. Re:No surprise... by sinij · · Score: 3, Insightful

      FIPS is not a joke - it ensures that that your cryptographic algorithms are implemented correctly and meet the standard. So you don't generate matching private/public keys or all 0 keys and other preventable but non-obvious to people outside of crypto mistakes. FIPS does not guarantee that you use these algorithms intelligently, there are other certifications that do that.

    4. Re:No surprise... by brunes69 · · Score: 3, Insightful

      It is a total joke.

      FIPS 140-2 ensures your algorithm is part of a standard set - big deal. It does no investigation at all as to how you use that algorithm or why you use it. If you are using AES with a FIPS-certified library, you get the checkbox. Nevermind the fact that the private key you are using is sitting in plain text on the disk.

      Its the same as all federal standards - FedRAMP, FIPS, FISMA, ISO 27K. They all do *SOME* things, but none of these standards, or any intersection of them, actually do anything with regards to real secure engineering. Note, I am not even sure it would be close to practical to do this. I am just raising awareness that saying that an application is "FIPS certified" is next to useless.

      Source: I have dealt with getting applications certified in all of these umbrellas, and more. It is an extremely time consuming and expensive process for all involved to get certified - but in the end does very little in terms of real application security. But it sure makes the auditors a lot of money!

  2. WTF? by Anonymous Coward · · Score: 3, Insightful

    Isn't TFS supposed to explain what it's talking about?
    1. Why does a router have public-facing SSH? The reason to use SSH on your router is to configure it, over a wired connection from your PC, innit?
    2. Why does a router come with SSH keys already installed? Don't you generate your own SSH keys?

  3. UL (Underwriters) is a private, for-profit company by raymorris · · Score: 4, Informative

    Most electrical equipment mass-marketed in the US is tested by UL (Underwriters Laboratories). Many consumers and most large purchasers recognize the UL mark as indicating a degree of safety. Contracts can specify that products an components meet various UL standards. That's why your router's power suppy wall-wart probably has the UL mark, and doesn't generally catch fire.

    The "Gubmint" doesn't force UL certification or listing, purchasers choose UL listed products. There's no "billions of lobbying dollars", in fact companies PAY to have their products tested, because if they are recognized by UL they don't sell nearly as well. Not only do individual consumers recognize the UL logo, but purchasing agents for Walmart and Target know they'd rather buy and sell UL tested products, so if you want Walmart to order 500,000 fire safes from you, you better have UL test it.

    So no, it doesn't have anything to do with "gubmint" or "lobbying" - UL or another organization could check the firmware in the router just like they already check the power supply circuit.

  4. Sounds good, but shelves full of UL say otherwise by raymorris · · Score: 3, Insightful

    > Back then you could justify the increased costs associated with getting the UL stamp of approval as a benefit to the consumer's safety.
    > Today, if you tried this, you'd get absolutely buried.

    That "sounds good", especially if it plays well with your personal political feelings. However, go pick ten random electrical products at your local big box store. Notice that at least nine, if not all ten, do in fact have the UL mark. The actual fact is that today almost all manufacturers do indeed "justify the increased costs associated with getting the UL stamp of approval". You can be surprised that they do, but you can see with your own eyes that they do. If that doesn't fit your current ideas, your ideas must be mistaken.