The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates. Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly. Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself. This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.
If you can, change your keys to be device specific and isolate them on your network. As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.
"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."
Here is some more Tech News from around the web:
- Apple lists the iPhone 7 and iPhone 7 Plus on its own bloody website @ The Inquirer
- AMD unwraps its seventh-generation desktop APUs and AM4 platform @
- Testing the Right Things with Docker @ Linux.com
- Linux creator Torvalds has another expletive-filled rant at the community @ The Inquirer
- FCC goes over the top again to battle America's cable-box rip-off @ The Register
- US tech college ITT is not pining for the fjords. It is no more. It has gone and met its maker @ The Register
- Nitro Concepts E200 Race Chair @ Kitguru
- The Affordable honor 5A Smartphone Revealed @ Tech ARP
- Anonabox Pro TOR VPN Router Review @ OCC