HTTPS, putting the security into HTTP. Or so we thought. A new report has looked at thousands of connected devices and found that private keys for 9pc of all HTTPS hosts on the web are vulnerable to impersonation, man-in-the-middle or passive decryption attacks.
Security company SEC has analysed public keys, private keys and certificates of more than 4,000 embedded devices, including internet gateways, routers, modems, IP cameras and internet-connected phones, finding a ‘worrying’ amount of vulnerabilities.
After combining its research with Scans.io and Censys.io to give the findings a bit more of a global feel, SEC reckons 150 certificates, used by 3.2m hosts, are there to be targeted.
Across all the devices monitored, 580 unique private keys (230 of which were actively used) were discovered, which causes its own problems.
Basically, with access to these keys – which doesn’t sound too difficult to achieve, given that SEC had no troubles – hackers could reach vendor levels of authentication.
That means users could fall victim to hackers that can deliver malware, completely concealed as genuine-looking updates, across multiple devices.
“We found more than 900 products from about 50 vendors to be vulnerable,” reads the report. “Of course our data is limited to the firmware we had access to.”
The full list of vendors affected is available here.
SEC has listed some advice for those affected, from a vendor level down. At the top, vendors should ensure random, unique cryptographic keys on every single device, rather than sharing them.
Remote access to ISPs via the WAN port should not be possible, and “end users should change the SSH host keys and X.509 certificates to device-specific ones”.
Lock image via Shutterstock