IoT Encryption Vulnerabilities Show How Often Devs Rip-Off Code
Some large portion of the Internet of Things has essentially left its backdoor wide open. This is according to a report released Wednesday by security researchers at SEC Consult examining SSH cryptographic keys and HTTPS secure server certificates from 4,000 different devices offered by 70 different manufacturers. As it turns out, these credentials are, more often than not, hard-coded and re-used among many different devices from sometimes even different companies.
(SSH and HTTPS are two ways a device might "talk" to a server and, thus, the internet.)
Of the 4,000 devices, SEC was able to identify only 580 unique keys. What does that mean? Imagine an apartment building of 4,000 rooms but with only 580 different locks; the odds would be pretty good that your neighbor and you share the same front-door key. It is a bit unsettling.
Note that we are not talking about internet-connected toaster ovens and Roombas but (mostly) basic networking technologies: home routers, modems, IP cameras, VoIP phones. Vulnerabilities here are far from trivial.
The culprits are static keys. These are built-in security keys that, as one might guess, do not ever change. They just come with the software or the software development kit (SDK) the software is based on. If you were some harried embedded systems developer trying to get a new device out the door, you might decide that this is good enough because who is really going to try and maliciously SSH their way into someones camera.
"The source of the keys is an interesting aspect," the SEC report notes. "Some keys are only found in one product or several products in the same product line. In other cases we found the same keys in products from various different vendors. The reasons vary from shared/leaked/stolen code, white-label devices produced by different vendors (OEM, ODM products) to hardware/chipset/SoC vendor software development kits (SDKs) or board support packages firmware is based on."
One example is a HTTPS certificate issued to a user known only as "Daniel" (with a Broadcom email address) and offered in the the Broadcom SDK, e.g. the set of tools a developer would use to make software for Broadcom devices. The same certificate appears in software from Actiontec, Aztech, Comtrend, Innatech, Linksys, Smart RG, Zhone, and ZyXE, which all together adds up to be around 480,000 devices on the web.
That these vulnerabilities exist is not news in itself. Just searching "broadcom daniel" brings up a lot of suspicious forum posts. (To be clear, Daniel is not the problem so much as the developers using the Broadcom SDK.) SEC is just attaching some (very big) numbers to it.
If we extrapolate the SEC results to every device on the internet, things get even more ominous. The 580 unique private keys tracked by the researchers are likely protecting around 9 percent of all devices on the internet using HTTPS and 6 percent using SSH.
The issue is being tracked and addressed, the SEC report notes, with help from the Carnegie Melon University Software Engineering Institute. Many vendors are in the process of addressing it as you read this today.