back to article Internet of Sins: Million more devices sharing known private keys for HTTPS, SSH admin

Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications. This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing …

  1. A Long Fellow

    So, really, we're looking at the inherent (in)security of Windows 95 in a burgeoning array of IoT devices. And not just a single behemoth obsessed with profit at any cost, but a teeming host of companies that are solely concerned with making this quarter's earnings call.

    What could possible go wrong?

    All hyperbole aside, isn't this -- on a slightly different scale -- precisely the situation that will ensue if the TLAs prevail in their demands for backdoors that "only the good guys know about"?

  2. Hans 1

    >"This is not always possible, as some products do not allow this configuration to be changed or users do not have permissions to do it (frequent in CPE devices). The required technical steps (generating a certificate or RSA/DSA key pair, etc) are not something that can be expected of a regular home user."

    Flash free software onto the thing, problem solved. Next time, DO NOT BUY devices with PROPRIETARY software in the first place. Note that this cannot be done some CPE devices unless you no longer use the device as intended.

    1. Richard 12 Silver badge

      Not an option in 99.9% of IoT

      These are custom hardware.

      They aren't PCs, or even well-known chipsets.

      There isn't any free software for them, flashing new firmware onto it is difficult - often needing a custom programming dongle - and the huge variety means that every one is different.

      Without the original source and toolchain it's basically impossible for a well-resourced developer to create a firmware pack, let alone a hobbyist.

      Welcome to the real world of hardware.

  3. Colin Millar

    FTFY

    End users should change the SSH host keys and X.509 certificates to device-specific ones throw the crap in the bin and engage their brains before buying stuff in future.

  4. Huns n Hoses

    A bit like the student flat I had

    After a while everyone either has a key or knows where one is badly hidden. I think the real issue is the existence of the lock at all in this situation, talking the talk only.

    1. Rich 11 Silver badge

      Re: A bit like the student flat I had

      Everyone and everyone's ex-partners. Along with a couple of best mates, one or more neurotic parents and that nice lady downstairs who will accept parcels during the day, just as long as she doesn't have to pile them up in her doorway.

  5. Richard Jones 1
    WTF?

    IDIOTIC

    IOT? sorry I can fix that one for you it is: Internet Direct Interconnect of Threats Including Chaos, i.e. it spells IDIOTIC.

    That sounds way more accurate with every day that passes and every report I read. The company I worked for had 'leaders' who were seduced by shiny knobs and buttons, the company no longer exists, neither should these dumb ass heaps of junk.

    Commercial system automation systems are being hacked everyday. Can no body read and understand? 19th entry security no longer works; this is the 21st century, unless that is you want second division hackers to cut their teeth on your kit.

  6. Paul

    El REg wrote "researchers recommend that service providers use a VLAN connection"

    shouldn't that be VPN connection?

  7. Anonymous Coward
    Anonymous Coward

    Many reasons?

    > "There are many explanations for this development.

    Just one I think: the vendors are too cheapskate to pay for a pen test

  8. allthecoolshortnamesweretaken

    Friends don't let friends buy insecure IoT crap. Hmm. Did I just use a pleonasm?

  9. Down not across
    Facepalm

    Doesn't even require complex solution

    Given most devices have a "Reset to factory settings" option. Why not have that option, among other things, regenerate host keys for the device. Not even difficult to implement.

    1. Richard 12 Silver badge

      Re: Doesn't even require complex solution

      Generating the keys requires a decent source of entropy - otherwise it's not a key.

      Most microcontrollers don't have those unless the IoT designer adds one in hardware.

      Some of the new ARM do have this built-in, but it adds cost.

      1. Anonymous Coward
        Anonymous Coward

        Re: Doesn't even require complex solution

        "Some of the new ARM do have this built-in, but it adds cost."

        Extra cost which in theory would be paid for by the increased value/price of a device which will actually sell, because it can be shown to be more trustworthy than its competitors. Market forces, informed consumers, right?

        In theory.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like