Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide

/house-of-keys-industry-wide-https.html

  • ’Worrying’ 9 Per Cent Of Encrypted Web Vulnerable To Private Key Attacks

    http://www.forbes.com/sites/thomasbrewster/2015/11/25/encrypted-routers-cameras-vulnerabilties-cisco-huawei-motorola

    The researchers, from SEC Consult, analyzed the cryptographic keys in the firmware of more than 4,000 connected devices from more than 70 vendors, detailing their efforts in a blog post today[1]. The affected “embedded systems” included internet gateways, routers, modems, IP cameras, network storage devices, mobile and Internet-connected phones, and more.

    They were able to extract more than 580 unique private keys embedded in firmware across devices, a significant number of which were shared across systems.

    [...]

    SEC Consult discovered more than 900 devices from 50 vendors to be vulnerable. Some of the bigger names included Cisco, General Electric, Huawei, Motorola and Seagate. “Particularly bad was Ubiquiti Networks,” said Johannes Greil, head of SEC Consult Vulnerability Lab, pointing to a previous disclosure on issues with the networking equipment vendor earlier this month. A large number of routers from the likes of NETGEAR, ZyXEL, Linksys, D-Link and TrendNET were shown to be vulnerable too.

    _

    [1] http://blog.sec-consult.com/2015/11/house-of-keys-industry-wide-https.html