Despite repeated warning from cybersecurity specialists, some vendors don’t see the importance of online security until disaster hits. This includes the reuse of encryption, a practice that has been going on for a long while and seems to be growing in popularity instead of disappearing.
Some 4.5 million IoT devices, network appliances and embedded systems have been using known private keys for HTTPS and SSH servers – a 40% increase from the figures released in 2015 research by SEC Consult. Once the key is extracted, these devices and gadgets are easily exposed. Because their communication would no longer be encrypted, it could be easily spied on, while millions of devices and networks might be simultaneously attacked and manipulated by hackers.
Vendors’ inability “to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched,” explained Stefan Viehböck, Senior Security Consultant at SEC Consult. Other factors may also be “insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment, CPE) and the trend of IoT-enabled products.”
Vendors have to step up their game and invest in proper security for their devices. Most importantly, vendors and ISPs should work together to make sure that each device has a unique encryption key. Not only vendors, but also ISPs have to make sure that “remote access via the WAN port to CPEs is not possible.”