Cryptographic Key Reuse Exposed, Leaving Users at Risk
A lack of unique keys in embedded devices is revealed, leaving such devices subject to impersonation, man-in-the-middle or passive decryption attacks.The promise of encryption is that it keeps information hidden from public view. But what happens when multiple devices share the same encryption key? According to a report from security firm SEC Consult, millions of devices are at risk because vendors have been reusing HTTPS and Secure Shell (SSH) encryption keys. "Research by Stefan Viehböck of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys," CERT warns in vulnerability note #566724. "Vulnerable devices may be subject to impersonation, man-in-the-middle, or passive decryption attacks." Viehböck looked at more than 4,000 devices from 70 vendors and found only 580 unique private keys were in use. There is a significant amount of reuse across keys that SEC Consult has estimated to impact approximately 50 vendors and 900 products. CERT's vulnerability note explains that for the majority of vulnerable devices, vendors reused certificates and keys across their own product lines. "There are some instances where identical certificates and keys are used by multiple vendors," CERT's vulnerability note states. "In these cases, the root cause may be due to firmware that is developed from common SDKs (Software Development Kits), or OEM (Original Equipment Manufacturer) devices using ISP-provided firmware."
Tod Beardsley, research manager at Rapid7, is not surprised at the SEC Consult findings. When auditing inexpensive embedded devices, his No. 1 complaint is when the administrative interface isn't encrypted at all, he said.