14 DAY TRIAL // Starting from a search for one SSH fingerprint, a researcher has discovered that over 250,000 home routers share the same SSH key, allowing an attacker access to all the devices if the key is found.
Upon closer investigation, John Matherly, founder of Shodan search engine for Internet-connected devices, discovered that the routers were from Spain and ran a version of Dropbear SSH software package designed for embedded devices.
Mass configuration of the devices may be the cause
The Shodan results also revealed that most of the IP addresses of the routers belonged to Internet Service Provider (ISP) Telefónica de España.
“It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices,” Matherly said in a blog post on Tuesday.
The purpose of an SSH key is to identify a trusted device in order to establish a secure connection. The process relies on public-key cryptography, where two separate keys are used, a public one for encrypting the data and a secret one for decryption.
However, by having the same key for multiple devices, identifying each and every one of them becomes impossible; as such, each product should have its own, unique SSH private key. Matherly believes that this is just a matter of mis-configuration of the devices.
More duplicate SSH keys discovered
The researcher also conducted lookups for two different SSH fingerprints and found that using duplicate SSH keys is not too uncommon, as about 200,000 results were returned in one case (most of the routers were from China and Taiwan) and over 150,000 in another, the devices being located in the US and Japan.
SSH connection is used by administrators that want to connect to a device in a secure manner. In the case of routers, it can be used to change settings remotely, but this is an option for advanced users.
The recommendation would be to disable SSH connectivity in the router, but the problem is that the average consumer would have a hard time doing this.
Matherly compiled a set of 1,000 unique fingerprints encountered on multiple devices across the globe, and published it on GitHub. He expects that security experts will uncover “interesting security issues” while analyzing it.
