Researchers at SEC Consult say the number of internet gateways, routers, modems and other embedded devices sharing cryptographic keys and certificates is up 40 percent since the Austrian consulting firm first looked at the problem in November.
The report, posted Tuesday called “House of Keys,” warns a sharp rise of devices using known private keys for HTTPS server certificates could easily spur an uptick in man-in-the-middle attacks that can lead to more extensive intrusions. Over the past nine months, that number has gone from 3.2 million (in November 2015) to 4.5 million today, SEC Consult reports.
“There are many explanations for this development. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/[end of life] products might be a significant factor, but even when patches are available, embedded systems are rarely patched,” wrote Stefan Viehböck, senior security consultant at SEC Consult in a blog post.
SEC Consult’s findings echoed much of its original research conducted late last year when it analyzed public and private cryptographic SSH keys and X.509 certificates in the firmware of more than 4,000 embedded devices from 70 vendors. At the time, researchers said nearly 600 unique private keys were discovered to have been distributed among the devices.
For its most recent report, SEC Consult said the data published Tuesday consists of 331 certificates including the matching private key as well as 553 individual private keys. A re-examination of the certificates and keys confirmed old problems; the Broadcom SDK “Daniel” certificate is still used by 500,000 devices and the Multitech/Texas Instruments certificate is used by 280,000 devices on the web, according to SEC Consult.
New troubling certificate/private key pair issues were identified by SEC Consult with various Alcatel-Lucent OmniAccess firmware.
“Contrary to most other certificates we’ve found, the certificate is signed by a browser-trusted CA (GeoTrust), is issued to ‘securelogin.arubanetworks.com’ and valid until August 2017,” Viehböck said. “Turns out that Aruba Networks is the OEM for the Alcatel-Lucent OmniAccess product line. The certificate is part of ArubaOS and the certificate is used in various Aruba Networks products as well. 49,000 devices on the web are using this certificate.”
SEC Consult said the ArubaOS certificate is both the default HTTPS server certificate (captive portal and web administration) and the WPA2-Enterprise 801.X authentication. “This allows attackers to do all kinds of nasty MITM attacks (active/passive HTTPS decryption, rogue access points, etc.),” wrote Viehböck.
In the report, even when there was good news it came with gloomy qualifiers. Such was the case with device maker Ubiquity Networks with a reported 62 percent reduction in network devices with insecure SSH keys and HTTPS certificate. “The bad news is that the major drop is likely caused by various botnets that exploit weak credentials as well as critical vulnerabilities including an innocently titled “Arbitrary file Upload” vulnerability (straightforward remote code execution, Metasploit module available),” Viehböck said.
According to SEC Consult, Ubiquiti support forums are filled with people who are struggling to remove malware from customers’ devices. “These botnets might have forced Ubiquiti customers to firewall their devices,” Viehböck wrote.
In the report, SEC Consult hints that some vendors may be waking up to the problem. In one instance, Viehböck cites a post by Alcatel-Lucent OmniAccess product line “security guy” stating:
“In the past we were persuaded by the “but certificates are too complicated – just leave the factory default cert as-is and customers who care about security can update it” argument, but I now think we’re doing a disservice to customers by giving them too much rope with which to hang themselves.”
Recommendations for remediation are the same as they were nine months ago, according to SEC Consult. It recommends device makers make sure each device uses random, unique cryptographic keys. It also recommends ISPs make sure remote access via the WAN port to Common Platform Enumerations (CPEs) is not possible. Lastly, SEC Consult suggests end users change the SSH host keys and X.509 certificates to device-specific ones.
“Releasing the private keys is not something we take lightly as it allows global adversaries to exploit this vulnerability class on a large scale. However we think that any determined attacker can repeat our research and get the private keys from publicly available firmware with ease,” Viehböck wrote.
