SEC Consult first warned about private key sharing in November 2015. After looking at 4,000 internet connected devices using hardware from 70 makers, the international security consultancy concluded that way too many devices were accessible with the same ‘skeleton key’. Vulnerable products included anything from home routers, to Internet of Things (IoT) appliances, to industrial equipment.
Now, the situation appears to be getting rapidly worse. A recent update from SEC found a 40 percent increase in key sharing over just nine months; 4.5 million devices are currently at risk, 1.3 million more than last autumn. Key sharing is a privacy risk because it means that cracking a single code gives hackers access to numerous different devices. With the risk of leaks so high, privacy services, such as those offered by ReputationDefender are becoming even more important.
A closer look at key sharing
The root of the problem is the replication of known encryption keys and certificates across multiple internet-connected products. These keys make up the security protocol used to access HTTPS sites. HTTPS stands for HyperText Transport Protocol Secure. In contrast to the HTTP prefix, HTTPS indicates that the connection is being protected by some form of encryption. SEC Consult studied SSH, SSL and X.509 certificates.
This might sound a bit obscure to the average internet user, but the numbers speak for themselves. SEC found two certificates duplicated most commonly: 500,000 products have been found using the first, while 280,000 web connected systems employ the second. In all, the latest research uncovered 331 matching certificates and 553 individual private keys shared across all 4.5 million products.
With a number of large scale hacks in the news recently, most people have heard about the dangers of sharing similar passwords amongst personal accounts. Essentially this is what manufacturers are doing on a larger scale. Hackers are able to extract the code from one device and then can use it to log into thousands of others or launch a ‘man-in-the-middle’ attack by decrypting a connection in progress.
Why is this happening?
Mostly it comes down to laziness on the vendor’s and manufacturer’s part. Software developer tools are sold to manufacturers with default keys already in place. In turn, little or no effort is made to individualize these security codes. Example certificates that can be extracted easily by anyone with the right technical ability are often copied right into the finished product.
SEC Consult says the increase in vulnerabilities is due to lack of security patching from vendors: insufficient firewalling by users and ISP’s, and the growing number of IoT appliances contribute greatly. In the end, the solution requires each specific device to employ an individual code. However, this would require sellers to maximize security and for manufacturers to be more responsible about the products they release.
What can you do?
To increase security, SEC Consult recommends that “end users should change the SSH host keys and X.509 certificates to device-specific ones,” but goes on to add, “this is not always possible.” The technical skill required goes beyond that of most buyers, and many devices don’t even have permission for end-users to update the security configuration. As such, there’s not much an individual can do to protect themselves against this threat except to limit the number of IoT appliances in their home, and again recognize, that any action taken on the internet is essentially public.