back to article Lazy IoT, router makers reuse skeleton keys over and over in thousands of devices – new study

It's what we all assumed, but quietly hoped wasn't quite this bad. Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned. In other words, if you can log into one gizmo remotely, you can probably log …

  1. channel extended


    Of course I'm secure. I have a cert and everything!

    BTW if you publish our name I'll sue.

  2. Anonymous Coward
    Anonymous Coward

    Hidden in plain sight

    Did this escape notice so long only because no one thought the industry could actually be this thick?

  3. Anonymous Coward
    Anonymous Coward

    Quietly hoping it will be this bad. Or worse.

    I'm going to enjoy the steady trickle of schadenfreude, as the IoT early-adopters mangled corpses mount up.

    Followed by a massive payout of schadenfreude, when the consumer masses eventually turn against IoT, and the media are finally forced to write a post-mortem on the big ball of fail.

    1. Boris the Cockroach Silver badge
      Big Brother

      Re: Quietly hoping it will be this bad. Or worse.

      You'll be lucky, so long as the customer has a flashy gizmo that works, they wont care.

      The guys who baked the certs have long since been dismissed, after all, who needs engies after the product is finished, and the CEOs etc have also moved on to other companies... taking their dodgey practises (does it work ok? yes? ship it then) with them.

      One silver lining though.. at least the NSA/GCHQ only have to decrypt a few 100 certs to be able to listen to most of the internet ...

      1. VinceH

        Re: Quietly hoping it will be this bad. Or worse.

        "You'll be lucky, so long as the customer has a flashy gizmo that works, they wont care."


        I cite my brother as an example, with his central heating system. When he boasted about and and I (was the only one who...) expressed doubts and questioned how secure it was, his reaction was more or less "I don't care - who'd want to hack my central heating?"

        1. wyatt

          Re: Quietly hoping it will be this bad. Or worse.

          People don't realise that an entry point can go on to compromise other devices. Unfortunately there isn't a way to educate these people, convenience will always overrule security.

  4. This post has been deleted by its author

  5. Steve Davies 3 Silver badge


    Idiots or Twats?

    I can't decide which.

    Obviously everything is build down to a target price, made to work and shipped. fuck security because it is Far TOOoooooo hard.

    This is just one of the reasons why no IoT kit will be used in my home anywhere near a connection to the Internet. Isolated yes (well maybe). Connected, No, no and thrice no.

    Where's the Disaster waiting to happen icon when you need it eh?

  6. Anonymous Coward
    Anonymous Coward

    and not one el reg commentard was surprised that day.

    As I have previously said there is no way an IoT device is connecting to my network unless I potentially built it myself, it does not have internet access and I control the server/control unit.

  7. Anonymous Coward
    Anonymous Coward

    Fusable Link

    What we need is the IT equivalent of a fuse so the link to the internet opens under certain conditions. It's only after a major IT meltdown that makes the Fukushima disaster look small that security will become the primary goal. I just can't see anyway around this particular singularity.

  8. Anonymous Coward
    Anonymous Coward

    If you have any devices with vendor firmware exposed to the internet

    You deserve what you get. Replace the vendor firmware on wireless routers with DD-WRT or OpenWRT, and lose those built in backdoors. If you have a DSL or cable modem that can only run vendor firmware, disable all the remote login options from the internet side AND firewall off those ports (and do a port scan from the outside to verify they really are turned off)

    That's not 100% protection because maybe they have a certain range of IPs that they will allow connections from regardless of settings, or use some sort of port knocking setup to override settings and enable remote logins, but hopefully when that information leaks out it won't be in bad guys hands before long until the good guys find out, you read a Reg article, and say "shit, now I gotta replace my DSL modem".

    For IoT type devices it is simple - you don't allow access to them directly from the outside. Do you really need to visit your thermostat's web page from work or whatever the hell the IdioT proponents think that crap is good for? If so, then you deserve to come home and find your house is 90* and the only way to stop the furnace is to pull the thermostat off the wall!

  9. VinceH

    Obvious icon is obvious.

    But we perhaps also need an icon to express another sentiment: a "Why am I not surprised?" icon.

  10. g e

    Avoid Zyxel then

    Would seem to be a start, they seems to be prolifically lazy

    1. theOtherJT

      Re: Avoid Zyxel then

      True, but read the rest of the names in the list -

      Cisco's in there. So's Huawei. There's some big names in trouble here.

  11. Paul Woodhouse

    hmm, are these keys actually used for authentication on the device or are they used to encrypt traffic to/from the device?

    OK, both are a massive fail, but one will mean that any script kiddie can search for vulnerable devices and log into them, and the other will mean that someone will have to perform a MiM attack and wait for someone else to log in before he can get the means to.

  12. Anonymous Coward
    Anonymous Coward

    "This code is provided for example purposes only and should not be used in a production environment"

    - possibly the most futile comment in the last 40 years of software development.

  13. herman Silver badge

    Hmm, but what can one do with those devices once logged in? Using them to send spam email is so 20th century. Can one install a distributed file system and make a cloud with free redundant storage?

    1. JassMan


      "Can one install a distributed file system and make a cloud with free redundant storage": the answer is probably yes, but you would need more local storage to keep track of all the cloud stored bytes than keeping all your data locally. Especially since you would need massive redundancy to allow for devices being devices which someone may unplug. The only advantage is that you may be able to be able to create your own virtually uncrackable crypto system since the NSA would not know in which order you wrote or read individual bytes to which devices. The main drawback would be that you would not know if someone else had randomly selected the same devices for THEIR storage.

  14. David Roberts

    Which attacks are we looking at?

    Internet side of home routers? Old hat. Leaving this open for remote access has been a security risk for decades along with default passwords.

    WiFi or bluetooth access locally to IoT devices? This looks like a credible threat with default access credentials, but it does require the attacker to be close enough to interract with a low power wireless signal. War driving people's IoT installations may be fun - and easily automated - but there is limited scope for damage as far as I can see.

    Remote access over the Internet to home installations? How is this going to work? As far as I can see to have multiple IoT devices in the home you will need a NAT router to share your single IPv4 address and at least some entry level smarts to allow you to call into multiple devices to collect data. This is the software package where the risk lies as it sits between local devices and the Internet. If they are sending only then they have the same protection as any other home computing device on a LAN today. Only if they open an outgoing port in the router (to where?) which also accepts incoming calls from any IP address does there seem to be a route into an individual device. Sounds sadly quite possible, though.

    So I am prepared to believe all kinds of short cut stupidity in local management software, but the only obvious risk seems to be war driving. Until IPv6 of course. Which I understand is to be implemented at the same time as Linux becomes the global desktop replacement for Windows.[Which I also understand is always "this year".]

    TL;DR the only obvious threat to dumb IoT devices with default credentials seems to be within low power wireless range. All other threats seem to require intermediate aggregating software, which is the real area of risk. Unless you know otherwise?

    Oh, and pretty please a few upvotes to counter the downvotes for the Linux snark? Almost at my first thousand :-)

  15. Bronek Kozicki

    it shows ...

    ... that hardware vendors simply cannot be trusted with software security.

  16. Alan Brown Silver badge

    "MatrixSSL Sample Server Cert"

    Perhaps example certs should be setup as "Lazy Bastard didn't set up security properly"

  17. Stevie


    All your everything are belong to lightbulb.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like