900 Embedded Devices Share Hard-Coded Certs, SSH Host Keys Posted by timothy on Thursday November 26, 2015 @03:00PM from the same-assembly-line dept.
An anonymous reader writes: Embedded devices of some 50 manufacturers has been found sharing the same hard-coded X.509 certificates (for HTTPS) and SSH host keys, a fact that can be exploited by a remote, unauthenticated attacker to carry out impersonation, man-in-the-middle, or passive decryption attacks <http://www.net-security.org/secworld.php?id=19159>. SEC Consult has analyzed firmware images of more than 4000 embedded devices of over 70 vendors — firmware of routers, IP cameras, VoIP phones, modems, etc. — and found that, in some cases, there are nearly half a million devices on the web using the same certificate. http://hardware.slashdot.org/story/15/11/26/1541216/900-embedded-devices-share-hard-coded-certs-ssh-host-keys
signature.asc
Description: OpenPGP digital signature
