Database of Private SSL Keys Published 200
Trailrunner7 writes "A new project has produced a large and growing list of the private SSL keys that are hard-coded into many embedded devices, such as consumer home routers. The LittleBlackBox Project comprises a list of more than 2,000 private keys right now, each of which can be associated with the public key of a given router, making it a simple matter for an attacker to decrypt the traffic passing through the device. Published by a group called /dev/ttyS0, the LittleBlackBox database of private keys gives users the ability to find the key for a specific router in several different ways, including by searching for a known public key, looking up a device's model name, manufacturer or firmware version or even giving it a network capture, from which the program will extract the device's public certificate and then find the associated private SSL key."
Re:what? (Score:5, Informative)
Re:what? (Score:4, Informative)
Re:what? (Score:5, Informative)
2) Attacker is either listening passively or is a man in the middle (via ARP poisoning or what have you). Because they have the private key, they can advertise themselves as being the router without raising the alarm with your SSH client or browser
3) You provide credentials to the router (or MITM). The credentials are logged by the attacker
4) You proceed to do whatever you intended to do in the router's configuration, and log out.
5) Some time later, the attacker logs into the router as you, and makes nefarious changes to the router configuration (such as uploading compromised firmware which logs traffic, or has a backdoor, etc). Any changes done look like they've been done by the router administrator.
I don't know how likely this is in a work scenario though; I haven't searched the database for common mid-level to enterprise routers/remotely configurable switches. More than likely, in a work situation, you'd be using hardware which generates a key pair upon initial configuration. The scenario above is more likely to apply to SOHO, or to consumer wireless hardware in the home.
Re:DD-WRT? (Score:3, Informative)
Re:DD-WRT? (Score:5, Informative)
that's the SSH key. The article is talking about the SSL key used by the embedded web server, ie. when you go to https://192.168.1.1/ [192.168.1.1] . TFA also specifically says this DOES affect DD-WRT.
Misleading^2 (Score:5, Informative)
I'd think it would only be *to* the device
That, and I think the attacker has to be on the network you're using to administer the device.
For a home router, with remote administration hopefully disabled, that would be your local net. So, if you have an attacker in your living room https: // 192.0.0.1 (or whatever) won't be any saver than http: // 192.0.0.1
Re:The cost of CA-signing each key (Score:5, Informative)
This has zit to do with certification authorities, because the certificate would not be recognized as valid by any browser, because the DNS name would not match. And no certification authority worth their salt would sign a certificate for 10.0.0.1 or similar nonsense.
So, the solution would be D. generate a unique private/public key pair for each device, and have the user manually accept the certificate as an "exception" on first usage. Which he has to do anyways, even if all routers use the same certificate.
Moderators, please don't mod articles about certificates if you don't understand how certificates work.