Slashdot Mirror

← Back to Stories (view on slashdot.org)

Million More Devices Sharing Known Private Keys For HTTPS, SSH Admin (theregister.co.uk)

Posted by msmash on from the Immensely-Obvious-Threat dept.

Millions of internet-facing devices -- from home broadband routers to industrial equipment -- are still sharing well-known private keys for encrypting their communications, reports The Register. From the report: This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing widely known secrets is continuing unabated. Devices and gadgets are still sharing private keys for their builtin HTTPS and SSH servers, basically. It is not difficult to extract these keys from the gizmos and use them to eavesdrop on encrypted connections and interfere with the equipment: imagine intercepting a connection to a web-based control panel, decrypting it, and altering the configuration settings on the fly. And because so many models and products are using the same keys, it's possible to attack thousands of boxes at once. SEC Consult senior security consultant Stefan Viehbock scanned the public internet and found that the practice of using known private keys has increased over the past nine months, with the number of net-accessible vulnerable devices ballooning to more than 4.5 million network appliances, IoT devices, and embedded systems around the world. That's up 40 per cent, or 1.3 million, from November, according to SEC Consult.

3 of 54 comments (clear)

  1. Free and Easy. by jellomizer · · Score: 4, Insightful

    The biggest problem I see is the following.
    1. Certificates are expensive
    2. They are hard to Setup.

    I am mostly an Application developer type of guy. I may setup a Secure site once every few years. However this process for Apache, and IIS seems to be overly complex. I am sure if I did it every day it would be second nature, but for the guy who does it every once in awhile, it takes a while and some trial and error.

    There hasn't been much of a thought on making this process easy to understand for the non-Administrator/Security personnel to setup.

    Now many of these devices that we use are made by companies whose main concerns are the following.
    * Getting the product out fast
    * Having the customer like the product
    * Saving money in making the product

    Security is one of those long term features if they can find "good enough" level they will not have many problems. For the most part "Good Enough" is to make sure the data is encrypted not necessarily encrypted well.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Free and Easy. by tepples · · Score: 2

      Because of rate limiting, Let's Encrypt works only if you buy your own domain and dynamic DNS hosting. So if you sell a million appliances, you end up with a million users who each have to buy and renew a domain and buy and renew a dynamic DNS hosting plan.

  2. This ad brought to you by SEC Consult by Anonymous Coward · · Score: 2, Interesting

    I've never heard of SEC Consult, but they're mentioned 3x in the summary.