Vendors should make sure that each device uses random and unique cryptographic keys
In the course of an internal research project SEC Consult's experts have analyzed the firmware images of more than 4000 embedded devices of over 70 vendors. The devices include Internet gateways, routers, modems, IP cameras, VoIP phones, etc. SEC Consult's experts have specifically analyzed cryptographic keys (public keys, private keys, certificates) in firmware images. The most common use of these static keys is:
- SSH Host keys (keys required for operating a SSH server)
- X.509 Certificates used for HTTPS (default server certificate for web based management)
They have found more than 580 unique private keys distributed over all the analysed devices. Correlation via the modulus allows the experts to find matching certificates.
SEC Consult's experts suggest that ISPs have to make sure the remote access via the WAN port to CPEs is not possible. In case the ISP needs access for remote support purposes, setting up a dedicated management VLAN with strict ACLs (no CPE to CPE communication) is recommended.