Cryptographic Key Reuse Exposed, Leaving Users at Risk
Angel Grant, senior manager at RSA, the security division of EMC, noted that security key management has always been a challenge and will continue to propagate as the Internet of things (IoT) expands. "There currently is no model of trust between machines, so organizations need to pause and think about the potential attack vectors that will leverage the potential computing power of IOT to create things like a Botnet of Things (BOTOT) or Thing in the Middle (TITM)," Grant told eWEEK. Best Practices There are a number of things that vendors can and should do to limit the risk of cryptographic key reuse. In many cases, however, the challenge lies with the actual end users of devices.Grant suggests that if an organization is using one of the impacted devices internally, it should closely monitor its traffic as an attacker can manipulate this vulnerability when located within the same network segment. "Moving forward, it will become more critical that organizations use the best practice of ensuring each device uses unique cryptographic keys," Grant said. Kevin Bocek, vice president of security strategy and Threat intelligence at Venafi, said his company along with the National Institute of Standards and Technology (NIST) recently issued a new publication titled Security of Interactive and Automated Access Management using Secure Shell (SSH). The NIST document provides guidance on several critical aspects of SSH, including its underlying technologies, inherent vulnerabilities and best practices for managing SSH keys throughout their life cycle. "All SSH access depends on the proper management and security of SSH keys," Bocek said. "If your organization does not have an active SSH key management and security project, it is at risk." There is also a short-term fix that can help to limit the risk of being exposed to reused cryptographic keys. "As far as protecting today's vulnerable devices, moving them off the general Internet and into a VPN controlled network is probably the best short-term solution," Beardsley suggested. "VPNs are an increasingly important component of modern enterprise networks. There are pretty easy-to-use interfaces on laptops, tablets and phones today, and their use is getting more normalized on otherwise public networks." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
"The problem with this sort of vulnerability is that the device owner [user] actually can't do anything other than replace the device," Lindell said. "It's also not necessarily the case that a vendor can issue a simple firmware update. This is because not all of these devices may support such a remote update securely."