Embedded devices use non-unique X.509 certificates and SSH host keys that can be leveraged in impersonation, man-in-the-middle, or passive decryption attacks.
CWE-321: Use of Hard-coded Cryptographic Key - Multiple CVEs
Research by Stefan Viehbཬk of SEC Consult has found that numerous embedded devices accessible on the public Internet use non-unique X.509 certificates and SSH host keys. Products are identified as vulnerable if unpacked firmware images are found to contain hard-coded keys or certificates whose fingerprints can be matched to data from the Internet-wide scan data repository, scans.io (specifically, see SSH results and SSL certificates). Affected devices range broadly from home routers and IP cameras to VOIP phones.
A remote, unauthenticated attacker may be able to carry out impersonation, man-in-the-middle, or passive decryption attacks, resulting in sensitive information exposure.
In most cases, the CERT/CC is unaware of a practical solution to this problem. Some vendors have indicated that updates or guidance will be provided, and this information will be updated within individual vendor information pages below when known. Users are encouraged to contact device vendors for more information.
Change X.509 certificates or SSH host keys
D-Link Systems, Inc.
NetComm Wireless Limited
Alpha Networks Inc
Edimax Computer Company
National Cyber Security Center - Netherlands
Seagate Technology LLC
Seowon Intech Inc
Vodafone Group, Inc.
Western Digital Technologies
Thanks to Stefan Viehböck of SEC Consult for reporting this vulnerability.
This document was written by Joel Land.