Million More Devices Sharing Known Private Keys For HTTPS, SSH Admin

Millions of internet-facing devices -- from home broadband routers to industrial equipment -- are still sharing well-known private keys for encrypting their communications, reports The Register. From the report: This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing widely known secrets is continuing unabated. Devices and gadgets are still sharing private keys for their builtin HTTPS and SSH servers, basically. It is not difficult to extract these keys from the gizmos and use them to eavesdrop on encrypted connections and interfere with the equipment: imagine intercepting a connection to a web-based control panel, decrypting it, and altering the configuration settings on the fly. And because so many models and products are using the same keys, it's possible to attack thousands of boxes at once. SEC Consult senior security consultant Stefan Viehbock scanned the public internet and found that the practice of using known private keys has increased over the past nine months, with the number of net-accessible vulnerable devices ballooning to more than 4.5 million network appliances, IoT devices, and embedded systems around the world. That's up 40 per cent, or 1.3 million, from November, according to SEC Consult.

The good and the bad

[rtkluttz]

This is just as good as it is bad. App and device makers are just as much if not more malicious than what we normally consider malware. Our devices and software are flat out being used against us. I agree that encryption should be as near perfect as possible to man in the middle attacks, but there simply MUST be a future way for the owners of endpoints to be able to tell what traffic their apps and devices are TRULY sending out. The biggest spies on the planet are the creators of so called TRUSTED software and devices. I want to know what is leaving my systems and I should have total control over that as owner of my devices.

Re:The good and the bad

[invictusvoyd]

I want to know what is leaving my systems and I should have total control over that as owner of my devices.

Roll your own ( software)

Re:The good and the bad

[rtkluttz]

When possible I surely would, but it still should not be possible for software and device owners to hide communications even from the device it is leaving (and thus its owner).

Why are they net accessible?

I'm no crypto expert, buy why are all these things net-accessible?

I wouldn't (for the sake of this argument) care if my router was all http because it doesn't answer on the WAN port. Same for everything on the LAN side, since I only open specific ports I care about.

How are these things being configured that they can be attacked on the net?

Re:Why are they net accessible?

[ewanm89]

So they can track everything, seriously. Most of these devices have no real need of an internet connection.

Anyway, that said, even my routers are using HTTPS, with a key and certificate pair generated by me for my own CA, it is possible, and not all that hard. I just added a HP printer to my network, again I uploaded my own certificate to it, it even had a nice wizard that generated the CSR which I then signed, run the wizard again and choose to upload the certificate.

Re:Why are they net accessible?

[arth1]

I wouldn't (for the sake of this argument) care if my router was all http because it doesn't answer on the WAN port. Same for everything on the LAN side, since I only open specific ports I care about.

How are these things being configured that they can be attacked on the net?

The problem is "I only open specific ports I care about" does not mean "I only open specific ports I take care about".
Too often, those ports will be ssh or web server instances, and if those are hacked, you have an intruder on the inside, who now has the ability to attack the router because she's now on the LAN side.

It may be tempting to allow sftp access to a NAS box on your lan, setting it up with really strong passwords.
But if the NAS box has an SSH private key from the vendor that's not unique to the box, someone can extract the public key on another box, connect to your box, and tunnel access to your router. No shell access is needed; servers like openssh supports TCP forwarding by default.

Locking things down reasonably well is certainly possible, but most users, even Linux users, do not have the necessary knowledge and paranoia to do so. The main reason why they don't get hacked is that there are so many fatter targets.

And the only hack-proof system is one that has networking disconnected, inside a radiation- and vibration-proof room.

Re:Why are they net accessible?

[JustAnotherOldGuy]

So they can track everything, seriously. Most of these devices have no real need of an internet connection.

What? You mean my 'Flashlight Extreme 2.0' app doesn't need an internet connection or access to my microphone, camera, and contact list?

Re:Why are they net accessible?

[tepples]

even my routers are using HTTPS, with a key and certificate pair generated by me for my own CA

Do you allow friends and family visiting your home onto your home network? Does your router have a web server that can serve files to internal users? If so, how do friends and family install the root certificate for your CA if they want to view the files that you've chosen to share with them?

Re:Why are they net accessible?

He has no friends or family that use his network, pretty obvious.

Re: Why are they net accessible?

Some IoT devices are coming with cell communications facilitating the phone-home "feature".

Re:Why are they net accessible?

Say what? If I have friends over and want to share files with them, they have no need to visit my router's web interface for anything. I have a file server (CentOS running samba) they could connect to, if they want to snarf up my movie collection.

Re:Why are they net accessible?

[ewanm89]

Well, it probably needs camera, but that's because the LED it turns on is the "camera flash". Past that, no it doesn't!

Re:Why are they net accessible?

[ewanm89]

The thing is, if it doesn't exist, OpenSSH generates a brand new key to use on first run. So there is absolutely no need for it having vendor keys.

Re: Why are they net accessible?

It dors not work that way. The public key needed to connect with the ssh server is derived from the users private key, not the servers. All that you can do with access to the servers private key is to impersonate the server.

Re:Why are they net accessible?

[tepples]

I have a file server (CentOS running samba) they could connect to

An iPhone, Android phone, iPad, or Android tablet is more likely to come with an HTTPS client than to come with a Samba client. If you want to run an HTTPS server on your CentOS NAS, you'd still need to either A. buy a domain on a "real" TLD and get a cert for it, or B. run a private CA, issue a cert to the NAS, and somehow push your CA's root to these devices.

Re:Why are they net accessible?

I see, I guess that usage scenario doesn't apply to me. My CentOS server is full of 1-2GB movie rips etc. Nobody wants to put those on their Android or iPhone. My sister in law and I did a giant movie swap last year but it was all between her laptop and the samba server. Nobody's using their phones to connect TO any device on my network, just connecting THROUGH my network. No special mojo needed there.

As an aside. I have Apache running on the CentOS box and generated my own cert for it locally. No running of a private CA involved, I just used the openssl command to generate a crt/key pair. My browser complained at me the first time I hit the server IP, I just ticked the "Add exception-Store permanently" box and I haven't had any trouble since.

Re:Why are they net accessible?

[arth1]

The thing is, if it doesn't exist, OpenSSH generates a brand new key to use on first run. So there is absolutely no need for it having vendor keys.

Except vendor backdoors, which they often graciously provide. Even if they don't lead to a normal account but something simple like dumping the serial number, they still tend to be exploitable for redirects.

And in some cases there are pre-generated keys identical for each device, the manufacturers duplicating a machine that has already been booted without deleting the keys first.

Free and Easy.

[jellomizer]

The biggest problem I see is the following.
1. Certificates are expensive
2. They are hard to Setup.

I am mostly an Application developer type of guy. I may setup a Secure site once every few years. However this process for Apache, and IIS seems to be overly complex. I am sure if I did it every day it would be second nature, but for the guy who does it every once in awhile, it takes a while and some trial and error.

There hasn't been much of a thought on making this process easy to understand for the non-Administrator/Security personnel to setup.

Now many of these devices that we use are made by companies whose main concerns are the following.
* Getting the product out fast
* Having the customer like the product
* Saving money in making the product

Security is one of those long term features if they can find "good enough" level they will not have many problems. For the most part "Good Enough" is to make sure the data is encrypted not necessarily encrypted well.

Re:Free and Easy.

If you're not the type of guy to set the secure site up, that's not a problem. Just hire someone that can. Not being able to do something yourself is not an excuse for shoddy security.

And I'll disagree with the certificates are expensive part too. They don't need to be expensive, there are cheap certificates available if you shop around.

Re:Free and Easy.

https://letsencrypt.org/ :)

Re:Free and Easy.

1. Certificates are expensive
2. They are hard to Setup.

Seriously?

1. If you want a real certificate with browser ubiquity, you can get them for USD $4.99: https://www.ssls.com/ssl-certi...

2. You can set up IIS with a certificate in less than 5 minutes. IIS has had a wizard interface to do this since at least windows server 2003.

Re:Free and Easy.

[ledow]

Certificates are free.
Good certificates are cheap.
Better certificates are far from prohibitive for a one-off cost for a major commercial product.

And certificates for such things are NOT REQUIRED to be signed by a well-known CA. Almost all routers, switches, etc. have admin interfaces that aren't when you first get them.

And if my £50 home router can let me generate certificates, including roots, for SSL, IPSEC, RADIUS, SSH, etc. etc. etc. then there's really no excuse.

It's LITERALLY two lines of openssl invocations on first startup. Or even "click here to regenerate the default certificate" and then it's up to the user whether they do or not and adds in a bit of randomness to when they do press it.

And, honestly, Apache is simple and IIS is - I hate to say it - even simpler. Generate a CSR. Get it signed. Plug it back in. Hell, my CA offers a page of instructions on 20+ different products to generate, sign and plug in certificates. If you can't set up Apache, you shouldn't be allowed to touch SSL, agreed. But if you can set up Apache but then think the process for SSL is too complex after Googling for it once, I'm not sure you should be developing any apps either.

Literally, most of these things do not require a CA-signed SSL key and even major commercial products like Smoothwall etc. don't do that. You can put in a CA-signed on. You can re-generate your own. But there's ZERO need for them to all come with a default one that every other customer with the same product has access to the private key for.

Hell, whenever you set up a Smoothwall from scratch, it regenerates the SSH etc. keys as one of the first things it does (with that little ASCII-grid randomness thing, if you've ever seen that). That's no more difficult than:

if(first_time_setup)
      generate_new_key()

And the code for that function is literally a single OpenSSL command invocation or a couple of lines of setup and choice of cipher type.

Ideally, done after NTP time sync or based on the first access by the user or similar, but it's hardly a chore.

Re:Free and Easy.

[tepples]

Because of rate limiting, Let's Encrypt works only if you buy your own domain and dynamic DNS hosting. So if you sell a million appliances, you end up with a million users who each have to buy and renew a domain and buy and renew a dynamic DNS hosting plan.

Re:Free and Easy.

[tepples]

If you want a real certificate with browser ubiquity, you can get them for USD $4.99

Plus the cost of a domain in a real TLD. Certificate authorities in the CAB Forum tend not to issue certs for dynamic IP addresses, for .local, or for made-up TLDs such as .onion (Tor) or .bit (Namecoin). Plus the cost of renewing all those every year.

Re:Free and Easy.

What makes the keys well-known?
Is it possible to guarantee that a random key is not well-known?
Does anyone have a list of broken keys of the sort described in the article?

Re: Free and Easy.

They DO that. It doesn't work. The problem is there is no entropy at all yet so all the keys are the same.

"well-known private keys"

You keep using those words. I do not think one of them means what you think it means.

Re:"well-known private keys"

Ever heard of mono.snk?

IoT developers are in a race.

[Ungrounded+Lightning]

Most IoT developer are in races to get their product through their particular niche's window of opportunity. First gadget-X through the window gets the bulk of the market share, and the biggest chance of being the 900-pound-gorilla after the niche's evcentual shakeout.

Doing security right is extra effort and time consuming. So the Invisible Hand is giving a back-pat to those who get to market earlier by ignoring it or doing a slap-dash job and spanking those who take time to do it well up front.

Later, when the vulnerabilities are exploited, it MAY apply a big chopping axe to the limbs or necks of those whose backs it previously patted. Or they may, once they have the market share, also have the time, and the will, to improve the situation - with fixes, retrofits, field upgrades, rearchitected newer models, etc. But for now many PHBs are focused on getting through the first stage, so their company is alive to work on the second.

Doesn't matter

[110010001000]

The shocking truth is that it is trivial to do MITM attacks on HTTPS if you have access to the network like you would need for this type of attack. There is no good way to connect securely on a public network. Networks were designed to share information. Security was tacked on later.

Re:Doesn't matter

[ledow]

Is it? Really?

Please describe how you intend to fake a certificate that signs Facebook, say, from a CA that my browser will recognise without warning?

Although there have been instances of that, the CAs in question have basically hate their roots REVOKED from major browsers for doing such things, and with certificate pinning and modern browsers, there's no way to fake your way around HTTPS even if you can sniff and interfere with every single packet.

Those "MITM" things that workplaces and schools use to see inside HTTPS? They ALL require your device to recognise their signing certificate FIRST or they throw up browser warnings all over the place, and things like Chrome will REFUSE to go to GMail etc. if they see it's using a fake certificate.

So don't believe the hype. HTTPS is fine. Just use a modern browser and make sure the sites you're using are pinning their certificates. If you're paranoidly worried, remove all the trusted certs from your OS before your start and only trust the individual website's after you've checked it's the real cert from another machine.

Or have you just heard "You can break HTTPS" or "My school can see my secure pages" and think that means without your co-operation or without full physical and administrative access to your device first?

Re:Doesn't matter

Best attacks I am aware of are downgrade attacks where the man in the middle just speaks HTTP to the client. On newer browsers, HSTS might stop that with facebook.

On the other hand, someone could've used this attack: https://www.computest.nl/blog/startencrypt-considered-harmful-today/ on startCom to get a valid certificate for Facebook. Websites that better allow reflected content such as dropbox are even easier.
Now sure, Key pinning would prevent the above attack as well.

Now consider if the website were small enough to not have HSTS or key pinning preloaded. HTTPS is still easy to MITM if you own the network (e.g. public wifi spoofing). Or consider an outdated browser that doesn't have HSTS or key pinning. If you are dealing with really big sites and up to date browsers, HTTPS seems to work. Beyond that, it is quite fragile.

Re:Doesn't matter

[h33t+l4x0r]

HTTPS is fine. Just use a modern browser and make sure the sites you're using are pinning their certificates. If you're paranoidly worried, remove all the trusted certs from your OS before your start and only trust the individual website's after you've checked it's the real cert from another machine.

That sounds like a lot of work just to check my email.

This ad brought to you by SEC Consult

I've never heard of SEC Consult, but they're mentioned 3x in the summary.

Ha Ha Ha Ha

[JustAnotherOldGuy]

Ha Ha Ha Ha, err, I mean, that's terrible!!

Signed,

Hackers Everywhere

Tivoization

[tepples]

Roll your own ( software)

That's sort of difficult when makers of networking appliances Tivoize their hardware in order to comply with national radio regulators' requirements for robustness of the radio against user modification to use frequencies or power levels not authorized in a particular country, and hardware makers aren't eager to advertise how locked down a networking appliance is against user-made software. See the TP-Link case.

Secure Contexts require HTTPS even on home LAN

[tepples]

I wouldn't (for the sake of this argument) care if my router was all http because it doesn't answer on the WAN port.

The web interface presented by a cleartext HTTP server cannot use any APIs that are restricted to secure contexts. (A secure context contains only scripts from potentially trustworthy origins, particularly hosts that resolve to 127.0.0.1, the file: scheme, and the https: scheme.) The spec lists several web APIs that it encourages browser makers to restrict to secure contexts. Examples of such APIs that a web server inside an appliance on a home LAN might want to use include Service Workers, Geolocation, Media Capture, and especially Fullscreen.

For example, consider a router with a network attached storage (NAS) feature. If you connect a mass storage device to its USB port, it shares the files on the LAN through SMB, SFTP, and HTTP protocols. If you load videos onto this device, the user may want to watch them on the full screen. But because the Fullscreen API can be used to spoof browser UI, the spec encourages browsers to restrict it to secure contexts. This means the NAS feature will have to support HTTPS.

Re:Secure Contexts require HTTPS even on home LAN

Definitely a valid point, and part of why I added the "(for the sake of this argument)" to my post.

The main thing I was trying to get at was that none of these security flaws should even have the *chance* of being exposed if people would just take half a second to try and secure the network itself.

Disclaimer: Ignoring LAN-side security is rather silly as well, but keeping the WAN on the WAN-side should be step #1.

Needs to be easier

[WaffleMonster]

I've seen this across numerous companies and network device vendors.

Too many operators who manage these things don't even have a basic grasp of PKI.

Device vendors don't bother providing even basic operations to manage certificates - generating key pairs and CSRs. They expect the operators to handle it themselves OOB.

The result is "test" and "demo" certs the engineers who created them know full well are worthless get put into production because device vendor support doesn't want to deal with the support headache or the operator doesn't want to run a bunch of exotic bullshit from the CLI when they can just use what is already there and works.

Ultimately none of these devices actually require PKI for security. Usable trust already exists in the form of username/password... why not just use it? All that is really necessary is for browser vendors to get off their collective asses and apply the TLS-SRP patches wasting away in their ticketing systems... then you can do secure authentication to these devices without having to provision any PKI. Excuse for failure is reduced from ... wahhh PKI is too hard... to ... WTF dude can't even change a default password?

Short of this inclusion of "test" and "demo" certificates needs to be straight out banned yet there is no mechanism other than shame to enforce such a ban.

Better technology (which is readily available but sits unused) to make it easier for people to do the right thing is a much more productive approach than betting against human nature.

Re:Needs to be easier

[tepples]

Usable trust already exists in the form of username/password... why not just use it? All that is really necessary is for browser vendors to get off their collective asses and apply the TLS-SRP patches wasting away in their ticketing systems

You appear to refer to Bug 405155 in bugzilla.mozilla.org, which hasn't had significant activity in the past five years. The biggest issue they found is that TLS-SRP still sends the username in the clear where the MITM can snoop it, and if username is an email address, that could leak personally identifying information.

Re:Needs to be easier

[WaffleMonster]

You appear to refer to Bug 405155 in bugzilla.mozilla.org, which hasn't had significant activity in the past five years. The biggest issue they found is that TLS-SRP still sends the username in the clear where the MITM can snoop it, and if username is an email address, that could leak personally identifying information.

This is as unavoidable as clients belching SNI and servers belching subject name in the clear when you connect to a secure site. And lets not forget each and every time I connect anywhere on the Internet the same old IP address I've had for years gets tagged right along with my communications.

This seems like quite an arbitrary excuse for inaction because the alternative is (what exists right now) is in fact much worse.

You can provision pseudonyms if leaking "admin" is a big deal. I don't see why it would be given for the overwhelming majority of these devices "admin" is the only account that will ever be used.

You can also use PKI in conjunction with TLS-SRP to protect identity. You can create an anonymous association and then do TLS-SRP (no guarantee of identity protection in an active attack). The protocol supports that. It's your choice. Not giving people a choice at all by pointing out inherent unavoidable properties of technology does nobody any good.

Installing root CA to browse shared files on NAS

[tepples]

And certificates for such things are NOT REQUIRED to be signed by a well-known CA.

True for a router's administration interface, not so much if you want to allow friends and family to browse the files on your home NAS. Most are unlikely to be technical enough to install your private CA's root certificate.

Generate a CSR

Against what domain?

How do you generate different keys?

[dargaud]

I write software for custom embedded systems and I generate the ssh key pairs manually before flashing. It's time consuming but OK when you have just a few devices. But how would a manufacturer of a million device do it ? I understand it's so much easier to generate it once and flash all your devices at once. So what's the solution to do it properly ?

Re:How do you generate different keys?

Generate a new key when the user first connects to the admin?

Re:How do you generate different keys?

This is trivial... have a script that generates the key pairs (which likely already exists on your box) run once, at first boot. Ta-da! Done.

Re:How do you generate different keys?

Automatically generate the keys if they don't exist. Run at boot or service start or whatever. Also, whatever tool or script you use to build or flash the image should ensure no keys are included.

Re: How do you generate different keys?

Simply remove the key files from your image and the openssh server will create new ones automatically on the first boot.

Re:How do you generate different keys?

[PurpleAlien]

We build M2M devices, usually using low power micro controllers (read: no Linux, no SSH). However, each device has a unique 256 bit AES key to encrypt its data (that's every single device, not product). The key is generated when the micro controller is flashed on the production line in a fully automated fashion. If you integrate it into the production line like this it's just like adding a test point along the way.

Re:How do you generate different keys?

[F.Ultra]

As others have mentioned if the OpenSSH daemon notices that there are no host keys it will automatically generate them when it's started so all you have to do really is to make sure that you do a

rm /etc/ssh/ssh_host_*

Before you create the image that you flash, and if you upgrade your embedded systems by flashing your image then you have to either move these keys to a location where they are not overwritten (i.e deleted) by your upgrade image or move them out before upgrade and then move them back after otherwise you might accidentally remove them on each upgrade and thus creating new keys on each upgrade.

Good thing

I use telnet

Re:Installing root CA to browse shared files on NA

[ledow]

It doesn't matter, no domain required.

Your home NAS doesn't need to be signed at all. It just needs a cert.

Your family will get a warning, you just tell them to press okay.

If you're smart enough to activate a NAS on a DNS entry that resolves to it, with port-forwards into your local network, you're smart enough to sign a cert on that domain if you really want to.

Hell, Let's Encrypt makes it a matter of downloading a program on Windows, Linux or Mac and running it. You could do that for a subdomain.dyndns.org if you could really be bothered.

IDIOT == Insecurely Designed Internet Of Things

[knorthern+knight]

Spread the meme.

Re:Installing root CA to browse shared files on NA

[tepples]

Hell, Let's Encrypt makes it a matter of downloading a program on Windows, Linux or Mac and running it. You could do that for a subdomain.dyndns.org if you could really be bothered.

As described in this post on Let's Encrypt forums, trying that would produce the following error:

Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: dyndns.org

Only five customers of a particular dynamic DNS provider can obtain certificates from Let's Encrypt in any 7-day window unless the provider applies to join the Public Suffix List, which can take weeks and can be refused.