The Internet of things (IoT), the chip or sensor-equipped devices connected to each other over theInternet, continue to be a topic of concern among security researchers. A new report has found that a large number of well-known vendors continue to overlook security in their products, leaving their customers at risk. The list of vulnerable products stretches from IoT devices to networking equipment and mobiles.
According to a report by IT security consultancy SEC Consult, the cryptographic keys meant to certify connections are being made to official servers and devices are in fact easily extractable. Compounding the problem is that thousands of devices use the same ‘unique’ private keys, so once hackers get hold of one, they can potentially affect several more devices and connections.
The researchers at the firm analysed firmware images of over 4,000 embedded devices from over 70 companies, consisting of modems, routers, gateways, and VoIP phone vendors. The firm said that most of these vendors reuse the same cryptography keys. It was able to extract more than 580 unique private keys shared across systems. If attackers get access to these keys, they can impersonate any of the affected device servers, perform man-in-the-middle (MitM) attacks, and passive decryption attacks to obtain private information.
Of the total unique private keys, the firm said that at least 230 keys are actively used. Roughly 150 of the identified server certificates are used by a whopping 3.2 million HTTPS hosts, which to give some context, represent nine percent of all HTTPS hosts on the Web. Private keys for more than six percent of all Secure Shell (SSH) hosts on the Web are also uncovered during the research. An attacker with access to all these keys could monitor encrypted Web traffic, and spoof encrypted connections.
The firm further noted that most of cryptographic keys are hardcoded into the firmware of Internet-enabled devices, and vendors are found to be using the same keys across their product lineup, but on many occasions, the same keys were also found in products from different vendors. Best practices dictate random, unique keys are generated for each device at the factory stage, or on first boot of the device.
One certificate, for instance, which is found in Broadcom software development kit, is used by companies such as Actiontec, Aztech, Innatech, Comtrend, Smart RG, Zhone and ZyXEL to develop firmware. Because of this wide usage, the certificate is used in half a million devices. Another such certificate found in Texas Instruments SDK is used by many major vendors, shared across 300,000 devices.
SEC Consult notes that millions of the devices are directly accessible via the Internet due to these crippled configurations. More than 80,000 Seagate FoFlex NAS devices are accessible via the Internet, it has been found.
The study has found that Internet Service Providers (ISPs) including CenturyLink, TELMEX, Telefonica, China Telecom, VTR Globalcom, Chunghwa Telecom are also exposing their users to attacks with HTTPs and SSH remote administration features enabled by default.
(Also see: Mobile Locked Unless You Pay the Ransom? Could Happen to You in 2016)
The report said, “We found more than 900 products from about 50 vendors to be vulnerable. Of course our data is limited to the firmware we had access to. Affected vendors are: ADB, AMX, Actiontec, Adtran, Alcatel-Lucent, Alpha Networks, Aruba Networks, Aztech, Bewan, Busch-Jaeger, CTC Union, Cisco, Clear, Comtrend, D-Link, Deutsch Telekom, DrayTek, Edimax, General Electric (GE), Green Packet,Huawei, Infomark, Innatech, Linksys, Motorola, Moxa, NETGEAR, NetComm Wireless, ONT, Observa Telecom, Opener, Pace, Philips, Pirelli , Robustel, Sagemcom, Seagate, Seowon Intech, Sierra Wireless, Smart RG, TP-LINK, TRENDnet, Technicolor, Tenda, Tootling, unify, UPVEL, Ubee Interactive, Ubiquiti Networks, Vodafone, Western Digital, ZTE, Zhone and ZyXEL.”
The firm says that it believes that even more devices could be affected by the aforementioned attacks. SEC Consult’s findings once again underscore how vulnerable IoT devices are, and to the extent they are used by people. As Kaspersky had pointed out earlier this month, a vulnerable IoT device also compromises the security of the entire wireless network and devices connected to it.