Industry News Smart Home

Number of Devices Using Known Private Keys for Communication Increases 40%

Despite repeated warning from cybersecurity specialists, some vendors don’t see the importance of online security until disaster hits. This includes the reuse of encryption, a practice that has been going on for a long while and seems to be growing in popularity instead of disappearing.

Some 4.5 million IoT devices, network appliances and embedded systems have been using known private keys for HTTPS and SSH servers – a 40% increase from the figures released in 2015 research by SEC Consult. Once the key is extracted, these devices and gadgets are easily exposed. Because their communication would no longer be encrypted, it could be easily spied on, while millions of devices and networks might be simultaneously attacked and manipulated by hackers.

Vendors’ inability “to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched,” explained Stefan Viehböck, Senior Security Consultant at SEC Consult. Other factors may also be “insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment, CPE) and the trend of IoT-enabled products.”

Vendors have to step up their game and invest in proper security for their devices. Most importantly, vendors and ISPs should work together to make sure that each device has a unique encryption key. Not only vendors, but also ISPs have to make sure that “remote access via the WAN port to CPEs is not possible.”

About the author

Luana PASCU

From a young age, Luana knew she wanted to become a writer. After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats. Luana is a supporter of women in tech and has a passion for entrepreneurship, technology, and startup culture.

1 Comment

Click here to post a comment
  • It's true that millions of devices, are sharing known private keys. I totally agree that it is not difficult to extract these keys and use them to eavesdrop on encrypted connections and interfere with the equipment. Another thing to watch out for is that so many models and products are using the same keys, it's possible to attack thousands of devices at once.

    The ultimate solution to the problem, could be like each device should be forced to have a unique security key for data transmissions. In most cases, this responsibility will fall on the vendors to step up their security efforts both before and after hardware is released. Though end users can't do much about it – but they can change the SSH host keys and X.509 certificates to device-specific ones, but that also a fact that not all devices allow these changes to be made.