Insecurity experts at SEC Consult have been looking under the bonnet of Internet of Things code and found that they are being made insecure because too much code is being copied.
SEC Consult found that SSH cryptographic keys and HTTPS secure server certificates from 4,000 different devices offered by 70 different manufacturers and found a security nightmare. Credentials are often hard-coded and re-used among many different devices from sometimes even different companies.
In fact, of 4,000 devices, SEC found only 580 unique keys. This basically means that 4,000 rooms will have 580 different locks.
The sort of keys involved are home routers, modems, IP cameras, VoIP phones and the vulnerablities are not smalll.
The static keys come with the software or the software development kit (SDK) the software is based on. The logic of reusing them is because a no one is ever going to maliciously SSH their way into someone’s fridge.
SEC said: “The source of the keys is an interesting aspect. Some keys are only found in one product or several products in the same product line. In other cases we found the same keys in products from various different vendors. The reasons vary from shared/leaked/stolen code, white-label devices produced by different vendors (OEM, ODM products) to hardware/chipset/SoC vendor software development kits (SDKs) or board support packages firmware is based on.”
The matter is being tracked and addressed with help from the Carnegie Melon University Software Engineering Institute. Venders are apparently also looking into it.
Software giant Microsoft has killed off two dodgy security certificates being used on Dell bloatware.
Updates apply to Windows Defender for Windows 10 and 8.1; Microsoft Security Essentials for Windows 7 and Vista; and its Safety Scanner and Malicious Software Removal tool, will remove the certificates.
Dell mistakenly included private encryption keys for two digital certificates installed in the Windows root store as part of service tools that made its technical support easier. The tools transmit back to Dell what product a customer is using.
However the private keys in both of the digital certificates could be used by attackers to sign malware, create spoof websites and conduct man-in-the-middle attacks to spy on user’s data.
One of the certificates is named eDellRoot and the other DSDTestProvider. Exposure to the latter certificate was likely more limited, as users had to download it, and the risky version was only available between October 20 and November 24, Dell claoms.
But the eDellRoot certificate, however, shipped with many new Dell laptop and desktop models. Also, older computers that ran the support tool, Dell Foundation Services (DFS), may also have been affected if DFS was configured for automatic updates.
Dell has issued an upgrade itself to remove the certificates, and it also described how to remove the certificates manually. Microsoft’s tool may help those who for one reason or another haven’t either downloaded or received the updates from Dell.