IoT devices keep using known private HTTPS keys, despite expert warnings

Millions of internet-facing devices, such as home routers and internet of things devices can still easily be spied on.

Millions of internet-facing devices, such as home routers and internet of things devices can still easily be spied on, and there is very little the end user can do about it.  According to a new report by security researchers from SEC Consult, these devices keep sharing well-known private encryption keys, allowing hackers to spy on encrypted communications with ease.  

To make matters worse, as the number of devices keeps on growing at an enormous rate, and with many of these devices using the same key, it is sometimes possible to attack thousands of them at once. In a nutshell – these devices are sharing keys for their HTTPS and SSH servers. This happened, at least according to SEC Consult senior security consultant Stefan Viehböck, mostly because vendors couldn't be bothered to change the default settings on their hardware. 

"There are many explanations for this development. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched," SEC Consult said. 

"Insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment [CPE]) and the trend of IoT-enabled products are surely a factor as well."  

According to the report, the best way to solve the issue is to force each device to have a unique security key for data transmissions. End users can't do much about it – they can only change the SSH host keys and X.509 certificates to device-specific ones, but not all devices allow these changes to be made.

Image Credit: Yuri Samoilov / Flickr