Millions of Insecure Devices Share The Same Keys

keySo how would it be if you found out that the key to your house also worked at your neighbor’s house.  What if it turned out the builder in your subdivision used the exact same lock on every house they built, and your key could get you into every house in your neighborhood?

This is essentially the situation that security researchers at SEC Consult discovered with a host of Internet connected devices. Millions of routers, web cameras, DVRs and other devices share the same encryption key that is used for remote access and management.   Some of these devices are the same Ubiquiti cable modems we about reported earlier.  The weakness is in the use of HTTPS and SSH keys baked in the firmware of these devices.  This leaves they all vulnerable to exploitation in a single attack.  These devices are accessible from the Internet because in many cases the remote management feature was active by default, and had not been disabled at the time of installation.

There are a couple of great articles that go into detail if you are interested.  The links are below.  The take-aways here are the same:

  • Disable remote administration
  • Change all default users and passwords
  • Change your cryptographic keys from the default too.

More information:

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment