SEC Consult, our long-term supporter, has updated a report on the use of encryption keys in firmware. These hardcoded cryptographic secrets pose a serious threat to information security. The report features 50 different vendors and has some interesting statistics. The results were coordinated with CERT/CC in order to inform the vendors about the problem. The highlights of the research includes:
- 40% increase in devices on the web using known private keys for HTTPS server certificates
- 331 certificates and 553 individual private keys (accessible via Github)
- some crypto material is used by 500,000 and 280,000 devices on the web as of now
The recommendations are crystal clear: Make sure that each device uses random and unique cryptographic material. If operating systems can change account passphrases after initialisation, so can your device. Take care of management interfaces! This is especially important for anyone dealing with infrastructure (Internet service providers for example). User can also do something. Ensure that your (Open)SSH keys change regularly. The same must be true for X.509 certificates and keys. Do not reuse the key material! Once the certificate expires, so does your key! Change it!
The report should be read in the light of the dreaded Internet of Things (IoT). Smart devices are prone to bad crypto habits. It’s bad enough that some protocols are cryptographically weak or broken, but keys and certificates should be addressed by a proper process. This is all part of the design, deployment, and maintenance process.
Make no mistake, the material is now on Github and can be actively exploited. Do your homework now. In case you need to refresh your memory where cryptography is concerned, we recommend the training conducted by Juraj Somorovsky.