900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys

An anonymous reader writes: Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks. SEC Consult has analyzed firmware images of more than 4000 embedded devices of over 70 vendors — firmware of routers, IP cameras, VoIP phones, modems, etc. — and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

What's that?

[gstoddart]

What's that? The companies who make consumer electronics do a terrible job of security and routinely deliver products with little or no security?

Well, golly gee, I'm totally shocked.

No, wait, the other one ... where I think it should be self evident that probably 95% or more of all devices which want to connect to the internet should be presumed to be utterly insecure and not used.

It's pretty clear that without some penalties and liability, the companies who are trying to bring us the connected world are either incompetent at, or indifferent to, any form of security.

If it isn't a computer, I pretty much don't trust it with any form of network connection.