Firm Finds Crypto Keys Recycled on Thousands of Devices

Cloud and Key
Cryptographic keys are being reused by products by some 70 vendors, with hundreds of thousands of embedded systems like Internet routers and IP cameras affected.

In-brief: Encryption keys used to secure data on- and communications between embedded devices are being recycled, creating a huge vulnerability that malicious hackers could exploit to snoop on sensitive communications or impersonate devices.

Encryption keys used to secure data on- and communications between embedded devices are being recycled, creating a huge vulnerability that malicious hackers could exploit to snoop on sensitive communications or impersonate devices.

The warning comes from the security firm SEC Consult, which published the results of an analysis of firmware (or software) running more than 4,000 embedded devices from 70 vendors.  The firm found more than 580 unique private encryption keys that were reused across the devices, representing more than nine percent of all secure web (HTTPS) hosts on the web and six percent of SSH hosts.

At least 230 out of the 580 keys identified by SEC Consult are “actively used,” the firm said.

[Read more Security Ledger coverage of security issues with firmware.]

The research, by Stefan Viehböck, a Senior Security Consultant at SEC Consult, is just the latest to highlight the risk posed by flawed- or vulnerable cryptographic implementations. In April, 2014, for example, an exploitable hole in the OpenSSL software prompted urgent warnings and frenzied patching by countless software firms that relied on the open source package to manage secure communications.

SEC Consult said the reused private keys are embedded or “baked in” to the firmware of devices including Internet gateways, routers, modems, IP enabled cameras, network attached storage (NAS) devices and Voice over IP (VoIP) phones. The reused keys are mostly used for providing HTTPS and SSH access to the device.

Viehböck said the reuse of the keys is due to many factors. In some cases, encryption keys were used in common between several products in the same product line. But the firm also found cryptographic keys that were the same in products from different vendors. In those cases, the underlying operating system that contained the keys may have been “white labeled” to devices produced by different vendors, supply chain overlap including use of the same hardware such as development boards or system on chip (SoC) packages. In some cases, firmware source code may have been illegally shared, leaked or stolen.

In just one example, SEC Consult found a certificate linked to a Broadcom SDK (software development kit) used in firmware from a long list of prominent device makers including Actiontec and Linksys. The affected vendors used the Broadcom SDK to develop their own firmware, wrapping in the private key in the process. More than 480.000 devices on the web are using this single certificate, SEC Consult warned.

Similar issues were discovered with certificates issued to other SDKs from prominent vendors. A certificate issued to Multitech in Bangalore and linked to a Texas Instruments SDK for ADSL2+ routers was found in firmware for over 300,000 devices from a wide range of vendors.

Many of the device with recycled cryptographic keys can be accessed directly from the public Internet, often because of remote management features that have been enabled. “Enabling remote management exposes an additional attack surface and enables attackers to exploit vulnerabilities in the device firmware as well as weak credentials set by the user,” the firm said.

This is just the latest warning about insecurities linked to the software running on embedded systems. In a report released in November, researchers at universities in Germany and France said that three-quarters of embedded systems that sport web interfaces contained serious security vulnerabilities.