Security → Tens of thousands of home routers at risk with duplicate SSH keys

To_gather again ¿ ¿..."A setup mistake has apparently left hundreds of thousands of home routers running the SSH (Secure Shell) remote access tool with identical private and public keys.

John Matherly used Shodan, a specialized search engine for querying Internet-connected devices, and found more than 250,000 devices that appear to be deployed by Telefónica de España sharing the same public SSH key.

Matherly, who founded Shodan, performed the search after someone posted a shorter version of a public key -- called a fingerprint -- for their device.

He was surprised to find more than 250,000 other devices, mostly in Spain, that shared the same public key fingerprint. It means the devices -- which are likely home routers -- also have the same private key, which could pose a security risk.

A different search found another 150,000 devices, mostly in China and Taiwan, that have the same problem.

Matherly said in a phone interview on Wednesday it is possible the manufacturers copied the same operating system image to all of the routers.

Another explanation is that an ISP reflashed the devices with custom settings, but did so insecurely, Matherly said. Newly imaged devices running SSH should be configured to generate their own unique key pairs.

But it is questionable whether SSH should be running on a home router anyway. It is used by administrators to enable encrypted, remote access to a system, but that capability isn't usually needed for home routers. All of the Telefónica de España routers were running a version of SSH called Dropbear."...[ »www.csoonline.com/articl ··· eys.html ]

You can just imagine the flawed logic...

CEO: The best security firm on earth just gave us meticulously tweaked code for our new router. Here's the firmware image - now make a million exact copies! We want our products to be the best at security!

He/She meant well.

Hasn't it always been true that if you can crack one SSH Key you could crack them all ?

No, keys should be unique. Totally defeats the purpose if they were all utilizing the same key.

It's not 'cracking' if the same key opens every single lock sold by a particular vendor: you buy one lock legitimately, and immediately have access to everyone else's lock you care to.

I'm still trying to wrap my head around the logic of allowing outside access of any kind, to a router.

While that's a hugely valid point, both convenience and greed seems to be the new order. People, businesses and governments will do things only "because they can". Easily predictable is a wide awakening coming to a planet near you.

Remote management is sometimes useful. Say, for example, if the nearest person with a clue is a couple of hours away.

One would hope that the concept of 'username and password' counts for something.

The SSH key is responsible for the encrypion algorithm established for a secure connection, Yes ? So if I buy one of these cloned routers I can extract my own key from it and then use that key in a man-in-the-middle attack to decrypt other secure traffic ? When you log into your bank account, is that secure connection using the SSH key from the router or from your browser client ? Or am I cross mixing different things ?

I believe from the published description that the keypair in question is used for authenticating the server to the client. If the server is (as it should be) the sole possessor of the private key, it can prove its identity to you by signing a message that you can verify by using the known public key.

But since everyone and his dog knows the same private key, anyone can make a rogue server for a man-in-the-middle attack.

Data encryption is done using a mutually-negotiated symmetric key, not the public-private keypair. This is the usual arrangement for crypto: you want a one-time-one key for encryption.

This is specific to ssh, not any web access.

When you log in to your bank account from a PC, no router keys are involved. Encryption is between your PC and the bank. If the router were involved, that would be a man-in-the-middle attack on you by the router, regardless of whether or not all routers were using the same keys.

Thanks for the clarification. So this whole scenario about a million routers with the same key is pretty much insignificant as a real world threat ? Just a fantastic oversight that security experts can point fingers at and gawk, but no harm done ? No significant data streams intercepted, no DNS settings on routers changed by hackers ?