The number of internet-connected smart devices using non-unique private keys for HTTPS server certificates has risen by a staggering 40% over the past nine months, according to SEC Consult.
The Vienna-based security consultancy recently revisited its November 2015 study on hard-coded crypto secrets in embedded systems only to find the number of devices still sharing known private keys had risen from 3.2 million to 4.5m.
This practice makes it easier for attackers to launch Man in the Middle attacks, and the use of the same keys across multiple products makes it more feasible to do so from an RoI perspective.
“There are many explanations for this development. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched,” the firm explained.
“Insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment, CPE) and the trend of IoT-enabled products are surely a factor as well.”
SEC Consult has now taken the unusual step of publishing all of its research data, including the 331 certificates and matching private key, as well as 553 individual private keys, alongside the names of the products containing the certs/keys.
“Releasing the private keys is not something we take lightly as it allows global adversaries to exploit this vulnerability class on a large scale,” it said. “However, we think that any determined attacker can repeat our research and get the private keys from publicly available firmware with ease.”
SEC Consult recommended manufacturers of these embedded computing devices to ensure they use a unique, random crypto key for each piece of kit.
ISPs, meanwhile, need to make sure remote access via the WAN port is not possible to routers and the like, and if access is needed then a VLAN must be used.
Tech-savvy home users were urged to change the SSH host keys and X.509 certificates to device-specific ones, if possible.
Kevin Bocek, vice president of security strategy & threat intelligence at Venafi, argued the problem is only going to get worse.
“The attack surface is broadening, with millions more devices being added daily. And DevOps is driving developers to go faster and skills protecting keys and certificates are in short supply,” he claimed.
“This is why companies need to take back control and take immediate action to protect themselves. By identifying all keys and certificates used on networks, across the cloud, and out to the Internet, organisations can identify possible failures like rampant key reuse that threatens to smash the foundation of security.”