Researchers from SEC consult analyzed more than 4000 firmware’s embedded devices, where is included devices belonging to 70 vendors. The categories of devices analyzed include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. SEC Consult was analyzing specifically the cryptographic keys (public keys, private keys, certificates) in firmware images of these devices, and concluded that most common keys are
These keys are generally used to access the IoT devices via SSH and HTTPS.
The experts analyzed 4000 firmware and found around 580 unique private keys, the use of Scans.io and Censys.io allowed them to discover that the same set of keys was widely re-used, on 580 keys, 230 are actively used.
Embedded cryptographic key
The firmware running on the IoT device came with embedded keys used mainly for HTTPS, and SSH connections, this bad practice exposes end users to risk of attacks. Attackers can easily find the key and access a huge quantity of IoT devices that share it.
The experts at SEC consult also discovered:
The researchers mentioned real cases that demonstrate the alarming habit:
Millions of devices exposed
SEC Consult’s researchers also uncovered another fact, many of these devices are directly accessible on the internet with insecure configurations and a used example is the case of Ubiquiti Networks, “who have remote management enabled by default in most products.”
Many Seagate GoFlex (80.000) are exposing HTTPS and SSH, and the blame should go the Seagate Share feature sets up port forwarding via UPnP.
In another case, the ISP exposes their clients’ IoT device by leaving their modems, routers and gateways with HTTPS and SSH remote administration features enabled by default.
The ISPs include, CenturyLink (500,000 exposed devices), TELMEX (1 million devices), Telefonica (170,000 devices), China Telecom (100,000 devices), VTR Globalcom (55,000 devices), Chunghwa Telecom (45,000) and Telstra (26,000 devices).
The counties with most affected hosts are:
SEC consult found more than 900 products from 50 vendors vulnerable, the list includes IoT devices proposed by:
ADB, AMX, Actiontec, Adtran, Alcatel-Lucent, Alpha Networks, Aruba Networks, Aztech, Bewan, Busch-Jaeger, CTC Union, Cisco, Clear, Comtrend, D-Link, Deutsche Telekom, DrayTek, Edimax, General Electric (GE), Green Packet, Huawei, Infomark, Innatech, Linksys, Motorola, Moxa, NETGEAR, NetComm Wireless, ONT, Observa Telecom, Opengear, Pace, Philips, Pirelli , Robustel, Sagemcom, Seagate, Seowon Intech, Sierra Wireless, Smart RG, TP-LINK, TRENDnet, Technicolor, Tenda, Totolink, unify, UPVEL, Ubee Interactive, Ubiquiti Networks, Vodafone, Western Digital, ZTE, Zhone and ZyXEL.
To avoid situations like these, the vendors have to ensure that each IoT device has its own unique cryptographic keys.
For the ISPs, if they need remote access for support purposes, they should set up a dedicated management VLAN with strict ACLs.
End users should change the SSH host keys and X.509 certificates of their IoT devices, an operation that is not allowed by some products, and in some cases users lack technical knowledge to change the settings.
All the problems emerged from the analysis have been reported by SEC consult to the CERT/CC which in August 2015 started informing device vendors, chipset manufacturers and affected ISPs. Some of them are already working on the fixes.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – IoT Devices, security)