Wednesday, December 22, 2010

Group Publishes Database of Embedded Private SSL Keys

A new project has produced a large and growing list of the private SSL keys that are hard-coded into many embedded devices, such as consumer home routers. The LittleBlackBox Project comprises a list of more than 2,000 private keys right now, each of which can be associated with the public key of a given router, making it a simple matter for an attacker to decrypt the traffic passing through the device.
Published by a group called /dev/ttyS0, the LittleBlackBox database of private keys gives users the ability to find the key for a specific router in several different ways, including by searching for a known public key, looking up a device's model name, manufacturer or firmware version or even giving it a network capture, from which the program will extract the device's public certificate and then find the associated private SSL key.
Craig Heffner, a member of the group who developed the project, posted a link to the database on Saturday on the Full Disclosure mailing list. Users can download the LittleBlackBox code from Google Code. The fact that encryption keys were hard-coded into many embedded devices has been known for some time, but extracting the key and then finding a router that's using it has been a challenge until now.
"Here’s where it gets fun: many of these devices use hard-coded SSL keys that are baked into the firmware. That means that if Alice and Bob are both using the same router with the same firmware version, then both of their routers have the same SSL keys. All Eve needs to do in order to decrypt their traffic is to download the firmware from the vendor’s Web site and extract the SSL private key from the firmware image," the group said in a blog post accompanying the code release. "Currently LittleBlackBox has over 2,000 unique private SSL keys and growing, primarily belonging to routers and VPNs. Although at the moment the vast majority of the keys belong to various DD-WRT firmware, there are keys from Cisco, Linksys, D-Link and Netgear as well."
SSL is the default standard for encryption on the Web and is used to secure most transactions online, including e-commerce and online banking.

No comments:

Post a Comment