Embedded devices with vulnerable hard-coded encryption keys continue to proliferate, warn researchers

The 'internet of insecure things' to become even more insecure after SEC-Consult dumps data on Github

The number of embedded devices "secured" with potentialy vulnerable hard-coded encryption keys is increasing at a faster rate now than when the problem was first highlighted in November last year.

That is the warning of Singaporean security company SEC-Consult, which claims that its earlier research, far from persuading device makers to improve the security of their devices, has in fact been totally ignored.

"The number of devices on the web using known private keys for HTTPS server certificates has gone up by 40 per cent in the last nine months [since the original report]," the company claims. That follows an awareness campaign run by the company in a bid to inform 50 or so different vendors, plus internet service providers (ISPs), of the developing security problem.

"There are many explanations for this development," the company suggested in a blog post.

"The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/end-of-life products might be a significant factor, but even when patches are available, embedded systems are rarely patched.

"Insufficient firewalling of devices on the wide-area network side (not just by users, but also by ISPs in case of ISP-supplied customer premises equipment) and the trend of IoT-enabled products are surely a factor as well."

In a bid to jolt the companies developing the devices, as well as those using them and connecting them to the internet, SEC-Consult has released the raw data on Github.

"The data we are publishing consists of 331 certificates, including the matching private key, as well as 553 individual private keys. We've also included the names of products that contain the certificates/keys. Cryptographic keys that were not found in an internet-wide scan data (Scans.io and Censys.io, HTTPS/SSH) are included as well," it warned.

It continued: "The data we are publishing [not only] allows researchers to reproduce the results of our study, find more cases or cryptographic key re-use, attribute cryptographic keys to specific vendors/products, but also to develop tools for detecting and exploiting this vulnerability class in the course of penetration tests."

The company said that it did not take the decision to release the sensitive data lightly, "as it allows global adversaries to exploit this vulnerability class on a large scale". But, it added: "We think that any determined attacker can repeat our research and get the private keys from publicly available firmware with ease."