Shodan Founder finds 250,000 routers sharing same SSH keys

Pierluigi Paganini February 21, 2015

The Founder of Shodan John Matherly was revamping the SSH banner when discovered a large number of devices that share same SSH keys.

The Founder of ShodanJohn Matherly, has conducted in December 2014 a personal research discovering that more than 250,000 routers used in Spain and deployed by Telefonica de Espana, and thousands more used in other countries worldwide are using the same SSH keys

Matherly was revamping the SSH banner and collecting the fingerprint, when he observed that a few SSH keys were used by several devices.

For example, the following SSH fingerprint is used by 250,000 routers.


ssh keys fingerprint Shodan


Matherly explained that the routers appear to be sold by Telefónica de España, the devices come pre-configured with the same operating system image. The expert highlighted that a small percentage of routers configured to allow a remote access may be vulnerable to cyber attack because share the same SSH private key.

“It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefónica de España,” Matherly wrote in a blog post.

“It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.”

Matherly discovered other similar cases, separate batches of 200,000 and 150,000 devices were using the same SSH keys.

“The next duplicated fingerprint on the list comes in at around 200,000 devices, followed by another one used by 150,000 devices. By analyzing the facets it’s easy to get a picture of systemic issues that plague both hardware manufacturers as well as ISPs/ hosting providers.” continues the post.

Matherly has published on GitHub the list of unique fingerprints discovered in his analysis with Python script that he used to discover the duplicate SSL serial numbers.

The Reddit user cybergibbons run a similar analysis in UK discovering a block of shared fingerprints.

“11,5061, 7,875, and 2,224 instances of duplicates they said were linked to telcos Sky Broadband, TalkTalk and BT Plusnet

7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf --> 11561
a8:99:c2:92:08:fb:5e:de:4b:96:14:de:61:df:ad:6d --> 7875
03:56:e6:52:ee:d2:da:f0:73:b5:df:3d:09:08:54:b7 --> 2224
b4:af:64:0c:9a:ed:ed:4d:b1:c0:12:5d:c9:e4:c8:f0 --> 1210
eb:65:52:6e:40:28:af:a6:36:5b:b3:b4:0c:5d:32:3d --> 1082
39:aa:e4:e9:a2:e7:c1:04:9d:00:9f:b6:99:d5:9c:bd --> 879
57:94:42:63:a1:91:0b:58:a6:33:cb:db:fe:b5:83:38 --> 777
f9:76:13:e7:86:11:8b:64:0f:e0:39:ea:e9:14:a7:18 --> 742
14:96:82:72:6f:bc:a5:14:53:1c:72:71:0d:8b:cb:c2 --> 740
34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 --> 726

(Security Affairs –  Shodan , SSH keys)

you might also like

leave a comment