Duplicate private keys leaving encrypted devices vulnerable to attack

Basic encryption mistakes are still being made that are putting consumers at risk, according to researchers from SEC Consult.

The Austrian team found that nine per cent of all devices using HTTPS encrypted lines were susceptible to private key extraction, meaning that attackers could impersonate any number of vulnerable device servers, including Internet gateways, routers, network storage devices or smartphones. The private keys for six per cent of all SSH hosts on the web were also discovered.

Read more: Security a major issue as remote working grows

The static keys used by the devices have been hardwired into the firmware image and are predominantly used to provide HTTPS and SSH access. However, all devices that use the firmware have identical keys – making for a serious security issue. SEC Consult suggests that the duplicate keys are likely to be the result of shared/leaked/stolen code, white-label devices, software development kits or board support packages.

The research found that the vulnerability was present across a wide range of technology vendors, including: Alcatel-Lucent, Cisco, Deutsche Telekom, Huawei, Motorola, Seagate, Vodafone and many others. Researchers added that attackers would most likely have to be using the same network to instigate any malicious activity.

“Impersonation, man-in-the-middle or passive decryption attacks are possible” researchers explained. “These attacks allow an attacker to gain access to sensitive information like administrator credentials which can be used in further attacks. In order to exploit this vulnerability, an attacker has to be in the position to monitor/intercept communication. This is easily feasible when the attacker is located within the same network segment (local network). Exploiting this vulnerability via the Internet is significantly more difficult, as an attacker has to be able to get access to the data that is exchanged.”

Read more: 4 tips to protect businesses online

In order to avoid falling victim to a cyberattack, vendors must ensure that every device uses a random, unique cryptographic key and ISPs have to ensure that remote access via the WAN port to consumer premises equipment is not possible. Even if these precautions are taken, however, it is worrying that these vulnerabilities are still being discovered in supposedly secure devices.

Image Credit: wk1003mike / Shutterstock