Shodan Founder finds 250,000 routers sharing same SSH keys

The Founder of Shodan John Matherly was revamping the SSH banner when discovered a large number of devices that share same SSH keys.

The Founder of Shodan, John Matherly, has conducted in December 2014 a personal research discovering that more than 250,000 routers used in Spain and deployed by Telefonica de Espana, and thousands more used in other countries worldwide are using the same SSH keys

Matherly was revamping the SSH banner and collecting the fingerprint, when he observed that a few SSH keys were used by several devices.

For example, the following SSH fingerprint is used by 250,000 routers.

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

 

Matherly explained that the routers appear to be sold by Telefónica de España, the devices come pre-configured with the same operating system image. The expert highlighted that a small percentage of routers configured to allow a remote access may be vulnerable to cyber attack because share the same SSH private key.

“It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefónica de España,” Matherly wrote in a blog post.

“It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.”

Matherly discovered other similar cases, separate batches of 200,000 and 150,000 devices were using the same SSH keys.

“The next duplicated fingerprint on the list comes in at around 200,000 devices, followed by another one used by 150,000 devices. By analyzing the facets it’s easy to get a picture of systemic issues that plague both hardware manufacturers as well as ISPs/ hosting providers.” continues the post.

Matherly has published on GitHub the list of unique fingerprints discovered in his analysis with Python script that he used to discover the duplicate SSL serial numbers.

https://gist.github.com/achillean/07f7f1e6b0e6e113a33c

The Reddit user cybergibbons run a similar analysis in UK discovering a block of shared fingerprints.

“11,5061, 7,875, and 2,224 instances of duplicates they said were linked to telcos Sky Broadband, TalkTalk and BT Plusnet“

7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf --> 11561

a8:99:c2:92:08:fb:5e:de:4b:96:14:de:61:df:ad:6d --> 7875

03:56:e6:52:ee:d2:da:f0:73:b5:df:3d:09:08:54:b7 --> 2224

b4:af:64:0c:9a:ed:ed:4d:b1:c0:12:5d:c9:e4:c8:f0 --> 1210

eb:65:52:6e:40:28:af:a6:36:5b:b3:b4:0c:5d:32:3d --> 1082

39:aa:e4:e9:a2:e7:c1:04:9d:00:9f:b6:99:d5:9c:bd --> 879

57:94:42:63:a1:91:0b:58:a6:33:cb:db:fe:b5:83:38 --> 777

f9:76:13:e7:86:11:8b:64:0f:e0:39:ea:e9:14:a7:18 --> 742

14:96:82:72:6f:bc:a5:14:53:1c:72:71:0d:8b:cb:c2 --> 740

34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 --> 726

(Security Affairs –  Shodan , SSH keys)