Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Millions of internet devices still sharing well-known private keys

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

September 7, 2016

According to some recent work conducted by SEC Consult, millions of internet-facing devices, from home broadband routers to critical industrial equipment in production environments are still sharing well-known private keys for encrypting their internet communications.

In a follow-up brief to its 2015 study on internet security, the practice of reusing widely known secret pass-phrases in embedded systems is continuing unabated. In fact, in some cases it may be escalating.

In a nutshell, internet devices of all types and various gadgets are still sharing private keys for their built-in HTTPS and SSH servers.

SEC Consult asserts it's not hard to extract these keys from the devices and use them to eavesdrop on encrypted connections (SSL) and interfere with the equipment.

Imagine intercepting a connection to a web-based control panel, decrypting it, and altering the configuration settings on the fly. And because so many models and products are using the same keys, it's possible to attack and compromise thousands of systems all at once.

SEC Consult senior security consultant Stefan Viehbock scanned the public internet and found that the practice of using and re-using known private keys has greatly increased over the past year, with the number of internet-accessible security vulnerable devices ballooning to more than 4.5 million network appliances, IoT devices, and embedded systems all around the globe.

That's up a staggering 40 percent or 1.3 million from October 2015. While the basic cause for the security issues can vary, the firm has said that the issue can often come from several equipment vendors not bothering to change the settings on their hardware components, in many cases leaving the default keys and certificates in place with software developer kits.

"There are many explanations for this growing problem. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when security patches are available, embedded systems are still rarely patched in the majority of cases we've looked into," SEC Consult asserted.

It added-- "Insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment ) and the growing trend of IoT-enabled products are a big contributing factor as well."

The ultimate solution to the various security issues will be to force each device to have a unique security key for data transmissions over the public web.

In most cases, this responsibility will fall on the device vendors to greatly step up their security efforts both before and after the hardware is released to the public.

Furthermore, the security researchers recommend that service providers use a VLAN connection when performing remote support on the devices, and that they limit the manner a connection can be established with on-premise hardware that ISPs provide customers with.

As for the end users who are left most vulnerable by the careless security practices, SEC Consult notes that only so much can be done, but that users need to be vigilant and on the lookout for things that might look suspicious.

"Overall and at the very least, end users should at least replace the SSH host keys and X.509 security certificates to device-specific ones," the company asserted.

"Of course this is not always possible, as some products do not allow this configuration to be changed or users do not have permissions to do it (frequent in CPE devices) or don't have the knowledge to perform such an operation," the company added.

"The required technical steps (generating a certificate or RSA/DSA key pair, etc) are not something that can be expected of a regular home user, but that any IT professional can easily perform such a task," it concluded.

Source: SEC Consult Internet Security.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer