900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys

← Back to Stories (view on slashdot.org)

900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys

Posted by timothy on Thursday November 26, 2015 @08:00AM from the same-assembly-line dept.

An anonymous reader writes: Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks. SEC Consult has analyzed firmware images of more than 4000 embedded devices of over 70 vendors — firmware of routers, IP cameras, VoIP phones, modems, etc. — and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

48 comments

Min score:

Reason:

Sort:

They can decrypt your private information by Anonymous Coward · 2015-11-26 08:05 · Score: 0

And know that you use a bum smacking machine.
1. Re:They can decrypt your private information by Opportunist · 2015-11-26 08:35 · Score: 1
  
  Dammit, I knew running the bum smacking machine on a ZigBee was a bad idea.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re: They can decrypt your private information by ArmoredDragon · 2015-11-26 09:59 · Score: 1
  
  Welcome to the internet of everything era, where nothing can possible go wrong.
What's that? by gstoddart · 2015-11-26 08:07 · Score: 4, Insightful

What's that? The companies who make consumer electronics do a terrible job of security and routinely deliver products with little or no security?
Well, golly gee, I'm totally shocked.
No, wait, the other one ... where I think it should be self evident that probably 95% or more of all devices which want to connect to the internet should be presumed to be utterly insecure and not used.
It's pretty clear that without some penalties and liability, the companies who are trying to bring us the connected world are either incompetent at, or indifferent to, any form of security.
If it isn't a computer, I pretty much don't trust it with any form of network connection.

--
Lost at C:>. Found at C.
1. Re:What's that? by Anonymous Coward · 2015-11-26 08:42 · Score: 1
  
  It probably passed their own "security tests", which is running security scan software against the running device. They probably even have a "Security Engineer", that couldn't write "Hello World" in C, look over the data flow diagram to make sure the lines are the right color (encrypted).
  I used to work for a company that built products like this. Products routinely went out with hardcoded admin passwords (so support can fix customer device) or worse; And the passwords were handed out like candy, even sales had the password so they could unlock customer devices.
2. Re:What's that? by Anonymous Coward · 2015-11-26 09:29 · Score: 0
  
  If it isn't a computer, I pretty much don't trust it with any form of network connection.
  From the summary:
  
  firmware of routers, IP cameras, VoIP phones, modems, etc.
  How will you connect said computer to the net without a router or a modem?
3. Re: What's that? by Anonymous Coward · 2015-11-26 11:14 · Score: 0
  
  For the router issue, you can just use open-wrt, dd-wrt, or something similar. As far as modems go, that's much more tricky since many ISPs don't like you not renting one from them.
4. Re:What's that? by Anonymous Coward · 2015-11-27 00:25 · Score: 0
  
  Good news! These ARE computers!
5. Re: What's that? by Anonymous Coward · 2015-11-29 10:46 · Score: 0
  
  It doesn't really take a "company", per se, just intelligent developers.
  The senior developer at work easily made a server that generates keys from diode noise used in RNG to be pulled in during manufacturing to create a cramfs filesystem that is only writable with a production load of firmware.
  It's caused zero problems in almost 8 years of production. It was do-once work, and could easily expand to all product lines.
  I wouldn't expect any suit to understand and implement, I'd expect developers and the VP of technology or whatever at the company to be responsible for this.
I, for one, welcome our key sharing overlords by Anonymous Coward · 2015-11-26 08:15 · Score: 0

Well, now that we know there are commonly reused keys shared between different firmware, it shouldn't be too hard to find them; download a variety of firmware updates, and look for a block of text the size of a key, that is identical between different firmware images. Imagine the kinds of botnets that are now possible...
1. Re:I, for one, welcome our key sharing overlords by Anonymous Coward · 2015-11-27 00:28 · Score: 0
  
  Information wants to be free! People rant about DRM and then use chmod or passwords. RMS' first foray was against having passwords on the computers at MIT. People deny it and twist around a bunch of things but, no, information wants to be free. Bottle it up, all you want, but it will be mine eventually.
Useless by Anonymous Coward · 2015-11-26 08:15 · Score: 0

http://it.slashdot.org/story/15/11/22/1431237/cios-spend-a-third-of-their-time-on-security
So, with all of that time, you guys never thought about this? You want us to trust your security and you don't know about Certs? They don't generate themselves!
1. Re:Useless by Opportunist · 2015-11-26 08:36 · Score: 0
  
  Amazing. A third of their time. Considering that it's the job of the CISO, not the CIO, that's quite a lot.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
we need java multicore by Anonymous Coward · 2015-11-26 08:17 · Score: 0

it would fix the certificates, java multicore is all we need. java on more cores than like 3. 32/64 fine, arm/x86 fine.
Nice biased article leaving Apple out by Anonymous Coward · 2015-11-26 08:17 · Score: 1

Nice biased article leaving Apple out, when part of Apple's touted security is HARD CODED KEYS embedded in hardware.
Why attack the little guys when one of the biggest of them all is given a free pass? Google key0x89b or go straight to http://www.sputtr.com/key0x89b for a copy.
1. Re:Nice biased article leaving Apple out by MobileTatsu-NJG · 2015-11-26 09:40 · Score: 2
  
  Nice biased article leaving Apple out, when part of Apple's touted security is HARD CODED KEYS embedded in hardware.
  I'd like to know more about this. Link, please?
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
2. Re:Nice biased article leaving Apple out by Anonymous Coward · 2015-11-26 10:24 · Score: 0
  
  Here you go.
3. Re:Nice biased article leaving Apple out by Anonymous Coward · 2015-11-26 10:32 · Score: 0
  
  Try reading your own fucking link.
  Apple are burning unique IDs in each chip, which means the key generated with it is DIFFERENT on each device.
  The article here is about device manufacturers using the SAME fucking key on every fucking device.
4. Re:Nice biased article leaving Apple out by MobileTatsu-NJG · 2015-11-26 10:43 · Score: 1
  
  Heh. Here's a tip: 'Let Me Google That For You' is only worthwhile when the search terms are obvious. If you put in something as obscure as "key0x89b", then the sarcasm is just lost.
  As for the links, thank you, I perused them, but I cannot find why you're raking Apple over the coals on it. The article is about certificates being burned in, "key0x89b" is about burning the decryption keys for the filesystem, unique to each device, into the memory on the machine. There are reasons why this is bad but it has nothing to do with things like man-in-the-middle attacks as mentioned in the article.
  Please feel free to correct me, perhaps the list of links you showed me made me misinformed.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
5. Re:Nice biased article leaving Apple out by MobileTatsu-NJG · 2015-11-26 10:48 · Score: 1
  
  And... I put my foot in my mouth. I apologize, I didn't see where you said "Google key0x89b..." That's my bad, please free to point and make fun of me. The only real excuse I have for that is undiagnosed brain-damage or something.
  My tasty little slice of humble-pie aside, I hope you'll still consider the rest of my post.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
6. Re:Nice biased article leaving Apple out by Anonymous Coward · 2015-11-26 10:53 · Score: 0
  
  Those keys,l are unique to each device. That's not what this article is about.
  This article is about re-using the same key across millions of devices.
Cost driven engineering by monkeyxpress · 2015-11-26 08:19 · Score: 1

What a bunch of idiots. Not just for sharing the same certificate between multiple devices, but for doing this in devices that clearly have mediocre to non-existent firmware read protection. Knowing how many of these products are put together, there is probably some underpaid graduate developer in China who is whoring out the same firmware to any MBA who wants to pay bottom dollar for everything.
I have worked with some pretty poor embedded developers in my time, but none of them would be this stupid. Their own magic number XOR encryption scheme would at least not have been as obvious as a duplicated X.509 cert sitting in firmware.
1. Re:Cost driven engineering by Anonymous Coward · 2015-11-26 08:24 · Score: 0
  
  no you moron. you are so full of yourself. they obviously just didn't use java multicore. you didn't graduate.
2. Re:Cost driven engineering by Anonymous Coward · 2015-11-26 08:30 · Score: 0
  
  no you moron. you are so full of yourself. they obviously just didn't use java multicore. you didn't graduate.
  Didn't you mean: "Mooooo cows! You are all cows! Cows say MOOOOO!"
3. Re: Cost driven engineering by Anonymous Coward · 2015-11-26 11:09 · Score: 0
  
  You multicore cows!!!
4. Re:Cost driven engineering by PPH · 2015-11-26 16:17 · Score: 1
  
  Right. But then these OEMs probably represent the low end of the software vendor's customers. If you want your own key, you pay them a few extra bucks to generate one for your product line. And then you take measures to protect your investment. Like specifying firmware read protection in your device hardware.
  
  --
  Have gnu, will travel.
Exaggerated again ... by angel'o'sphere · 2015-11-26 08:50 · Score: 1

There is not that much wrong with doing that. As long as you can not extract the certificate, why care?
Against popular believe SSH and HTTPS don't use public key encryption for the data transfer. A little bit thinking, in case of SSH at least, would make that obvious to everyone.
The public/private key encryption is used in the beginning of the handshake to exchange a stream cypher usually something like DES.
There is absolutely no difference in having a billion devices with the same keys/certificates and trying to use the data of all transmissions to them to crack them (reversal them) versus a singe certificate like google.com's and having billions of connections per day to that single point.
Of course it would be cooler if only small badges of devices had the same cert, or if you even would go through the hassle to make individual ones.
However someone smarter than me might point out the not so obvious attack vectors.

--
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
1. Re:Exaggerated again ... by Anonymous Coward · 2015-11-26 09:17 · Score: 0
  
  Hm, the obvious attack vector is that OF COURSE YOU CAN EXTRACT THE GODDAMN CERTIFICATE!
  If a device holds a private keys and the public has physical access to the devices, someone will get the key eventually. If it's 900 different devices made by 50 different manufacturers, your key is already public knowledge, sweetie.
2. Re:Exaggerated again ... by Anonymous Coward · 2015-11-26 09:23 · Score: 0
  
  I use certificates with SSH all the time to access servers. Naturally I enable a password on the certificate for another layer of protection.
3. Re:Exaggerated again ... by SwashbucklingCowboy · 2015-11-26 09:46 · Score: 1
  
  "The public/private key encryption is used in the beginning of the handshake to exchange a stream cypher usually something like DES."
  No one with an ounce of up to date crypto knowledge uses DES. Perhaps you meant AES.
  "There is absolutely no difference in having a billion devices with the same keys/certificates and trying to use the data of all transmissions to them to crack them (reversal them) versus a singe certificate like google.com's and having billions of connections per day to that single point."
  Sure there is. It means if I can pwn ANY of those devices from any vendor then I can attack ALL of them. I as vendor A may have gone to the expense to make sure no one can read my firmware. But cheap ass vendor B over there did not. My software supplier provided the same cert to both of us. Now, a vulnerability in his product can be used to attack mine. THAT is the difference.
4. Re:Exaggerated again ... by Anonymous Coward · 2015-11-26 09:46 · Score: 0
  
  Not sure what you are smoking.
  The problem with 900+ devices having the same key pair is that it is next to impossible to guarantee that _all_ of them do not allow the private key to be extracted. All it takes is a _single_ mistake on a _single_ device for all 900+ devices to be compromised.
5. Re:Exaggerated again ... by SwashbucklingCowboy · 2015-11-26 09:52 · Score: 1
  
  I think that simple fact escaped him.
6. Re:Exaggerated again ... by epine · 2015-11-26 10:00 · Score: 1
  
  If Data and Lore had been configured with different host keys, a whole lot of anguish could have been avoided.
  
  When a signal transmission is detected from Data's quarters, Wesley Crusher arrives to investigate. He finds Lore, now impersonating Data, who explains that he had to incapacitate his brother after being attacked. Wesley is doubtful, but since Lore and Data were misconfigured with identical host keys, he has little option but to pretend to accept the explanation.
  Understanding Secure Shell Host Keys
7. Re:Exaggerated again ... by AHuxley · 2015-11-26 10:51 · Score: 1
  
  Yes the "firmware of routers, IP cameras, VoIP phones, modems" is the key. A lot of different groups search the wider internet for any networked devices. One key when found that fits all is not a good design when the consumer feels they bought a product that has some level of encryption.
  
  --
  Domestic spying is now "Benign Information Gathering"
8. Re:Exaggerated again ... by willy_me · 2015-11-26 16:02 · Score: 1
  
  Of course it would be cooler if only small badges of devices had the same cert, or if you even would go through the hassle to make individual ones.
  Going through this hassle is exactly what is typically done. It is not uncommon for the initial - or post reset - boot of a router to take significantly longer then subsequent boots. This is when the router generates the public / private key combination. I suppose that the manufacturers are bypassing this to simplify support. Alternatively, they are truly incompetent and simply flashing the devices with a firmware that already contains the certificate. But each device should have a different serial number which should invalidate a copied certificate. So they must be going out of their way to facilitate a common certificate. Possibly they disabled verification against the serial number?
  Regardless of why or how they are doing it, a common certificate indicates a common private key. With that private key you can decode the shared AES (or DES) key and subsequently decode all network traffic. The key will be stored in FLASH memory and can be accessed via JTAG connection.
9. Re:Exaggerated again ... by PPH · 2015-11-26 16:12 · Score: 1
  
  Odds are that these 900+ devices were built from the same image. Hence the identical keys. And if this is the case, then either all of them have an exposed private key or none of them do. Once a build process has been verified to load the correct components and not load those that should not be, stamping out identical copies is quite secure.
  In the case of identical key pairs being loaded on different devices, all that this key does is uniquely identify the particular software build that your IoT device is based on. If you need to uniquely identify a single instance of device, then its key pair must be generated based on a unique identifier, such as a MAC address or serial number. Or better yet, some combination of unique identifier and random seed.
  
  --
  Have gnu, will travel.
10. Re:Exaggerated again ... by Fnord666 · 2015-11-27 10:02 · Score: 1
  
  "The public/private key encryption is used in the beginning of the handshake to exchange a stream cypher usually something like DES."
  No one with an ounce of up to date crypto knowledge uses DES. Perhaps you meant AES.
  In addition, both DES and AES are block ciphers, not stream ciphers.
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
11. Re:Exaggerated again ... by angel'o'sphere · 2015-11-28 03:59 · Score: 1
  
  Serial numbers have nothing to do with certificates.
  You can make public/privat key combos on your computer as many as you want and use them as you want.
  With that private key you can decode the shared AES (or DES) key and subsequently decode all network traffic.
  The DES/AES Key is new for every connection.
  The key will be stored in FLASH memory and can be accessed via JTAG connection.
  Only if the device has such a connector. Which it likely has not. Never saw one that has one ...
  Would make more sense, to desolder the ROM and put it into a ROM reader.
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
12. Re:Exaggerated again ... by SwashbucklingCowboy · 2015-11-28 15:58 · Score: 1
  
  AES used in GCM mode is essentially a stream cipher.
Please correct the summary by reboot246 · 2015-11-26 09:57 · Score: 2

"Embedded devices of some 50 manufacturers has been found sharing . . . . "

That should be "have been", not "has been". I'm sorry, but it just grates on my nerves.
1. Re:Please correct the summary by fisted · 2015-11-26 11:13 · Score: 1
  
  Thanks. What would we just do without you.
  
  --
  CLI paste? paste.pr0.tips!
so this is how... by Anonymous Coward · 2015-11-26 10:52 · Score: 0

they hack into all those cameras and shit on cop shows....
It's Economics not Cryptography by FeelGood314 · 2015-11-26 12:53 · Score: 1

I work trying to secure small embedded devices. It is frustrating beyond belief. No one will pay for real security. Most end users don't understand it and wont pay for real security. Banks, utilities and even governments don't care if the loss caused by a breach is incurred by someone else. Managers might care but they aren't going to stick their necks out and do anything different since they can never be blamed for following "industry best practices"

Until the people who have the ability to fix security problems are the same people who will incur the loss when something goes wrong we will never have secure IoT devices, let alone secure public infrastructure.
1. Re:It's Economics not Cryptography by PurpleAlien · 2015-11-26 14:10 · Score: 1
  
  Same here. I see the same things. We design everything with security in mind from the get-go. However, this has meant having to skip customers who just didn't care (and wouldn't cover the costs that come with it). Most businesses wouldn't do that, so this all leads to horribly insecure crap.
  
  --
  My blog, if you're interested: http://www.purp
2. Re:It's Economics not Cryptography by Aristos+Mazer · 2015-11-27 04:14 · Score: 1
  
  This is an area where I would support government regulation -- banning the sale of devices that don't meet a high security standard, just like we ban food that's unfit for consumption or require specific safety devices in cars. I've hoped that, as cars get more computerized, the regulations around cars would have a bleed-over effect, but, so far, no luck there.
NSA_Key? by Ungrounded+Lightning · 2015-11-26 17:19 · Score: 1

Did anybody compare the lists of devices sharing these hardcoded SSL certs to the lists in the Snowden Revelations that various projects in NSA were willing to crack on a wholesale basis for other departments?

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Pirelli? by cant_get_a_good_nick · 2015-11-27 03:34 · Score: 1

I think of them as tires only (well, and the calendar). What since when do they make/sell/rebadge routers?