Thousands of routers, modems, IP cameras, VoIP phones and other embedded devices share the same hard-coded SSH (Secure Shell) host keys or HTTPS (HTTP Secure) server certificates, a study found.
By extracting those keys, hackers can potentially launch man-in-the-middle attacks to intercept and decrypt traffic between users and millions of devices.
Researchers from security firm SEC Consult analyzed firmware images for over 4,000 models of embedded devices from more than 70 manufacturers. In them they found over 580 unique private keys for SSH and HTTPS, many of them shared between multiple devices from the same vendor or even from different ones.
To read this article in full or to leave a comment, please click here