More IoT Vulnerabilities Discovered

Monday, November 30, 2015 @ 04:11 PM gHale

A boatload of connected devices use the same cryptographic nomenclature which can expose them to malicious attacks, a new study said.

After analyzing firmware images of over 4,000 embedded devices from over 70 vendors, including modems, routers, gateways, VoIP phones and IP cameras researchers at SEC Consult identified 580 unique private keys, the most common being SSH host keys and X.509 certificates used for HTTPS. These keys generally end up used for SSH and HTTPS access to the device, according to a blog post.

Connected ‘Things’ Continues to Grow
Attack Vector: Smart Coffee Makers
CCTV Cameras Form Botnet
IEI: Securing IIoT

Using the and Internet-wide scanning services, SEC Consult researchers found at least 230 of the 580 keys actively used. About 150 of the identified server certificates are used by 3.2 million HTTPS hosts, which represents 9 percent of all HTTPS hosts on the web, while 90 of the SSH keys see use by 0.9 million SSH hosts, representing 6 percent of hosts available on the Web.

As it turns out the cryptographic keys ended up hardcoded into the firmware of IoT devices, which means all devices using certain firmware have the same keys. While in some cases the same keys only end up shared across devices in a certain product line, experts also found the same keys in products from different vendors.

One example provided by researchers is a certificate found in a Broadcom software development kit (SDK). The SDK sees use by companies such as Actiontec, Aztech, Innatech, Comtrend, Smart RG, Zhone and ZyXEL to develop firmware.

That means the certificate is in nearly 500,000 devices. A Texas Instruments SDK used by several major vendors led to a single certificate shared across 300,000 devices.

An attacker with access to the victim’s network can use these keys to launch impersonation, man-in-the-middle (MitM), and passive decryption attacks in an effort to obtain sensitive information. Attacks over the Internet are also possible by bad guys capable of monitoring Web traffic, SEC Consult said.

SEC Consult’s analysis also found IoT devices are directly accessible via the Internet, in many cases due to insecure default configurations.

ISPs also expose users to remote attacks by shipping modems, routers and gateways with HTTPS and SSH remote administration features enabled by default. The list of impacted ISPs includes U.S.-based CenturyLink (500,000 exposed devices), Mexico-based TELMEX (1 million devices), Spain-based Telefonica (170,000 devices), China Telecom (100,000 devices), Chile-based VTR Globalcom (55,000 devices), Taiwan’s Chunghwa Telecom (45,000) and Australian ISP Telstra (26,000 devices).

One quarter of the affected hosts have been found in the United States, followed by Mexico, Brazil and Spain.

SEC Consult reported identifying over 900 vulnerable products from 50 vendors, but the actual number could be much higher considering the security firm’s study only targeted firmware it had access to.

SEC Consult said it has been working with CERT/CC since August to notify the affected vendors. CERT/CC has also published an advisory describing the hardcoded key issues uncovered by SEC Consult.