900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys
Rayzer
Rayzer@riseup.net
Thu Nov 26 12:32:55 PST 2015
900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys
Posted by timothy on Thursday November 26, 2015 @03:00PM from the
same-assembly-line dept.
An anonymous reader writes:
Embedded devices of some 50 manufacturers has been found sharing the
same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact
that can be exploited by a remote, unauthenticated attacker to carry out
impersonation, man-in-the-middle, or passive decryption attacks
<http://www.net-security.org/secworld.php?id=19159>.
SEC Consult has analyzed firmware images of more than 4000 embedded
devices of over 70 vendors — firmware of routers, IP cameras, VoIP
phones, modems, etc. — and found that, in some cases, there are nearly
half a million devices on the web using the same certificate.
http://hardware.slashdot.org/story/15/11/26/1541216/900-embedded-devices-share-hard-coded-certs-ssh-host-keys
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20151126/d7194fa9/attachment.sig>
More information about the cypherpunks
mailing list