Potential Vulnerability of SSL on Devices

     

keysToday, many embedded devices rely heavily on SSL encryption through the use of hard-coded keys located within the device's firmware. In this scenario, all devices running a given firmware version are using the same private SSL key, resulting in a potential security vulnerability that could put data at risk.

As recently described on the Embedded Device Hacking blog:

That means that if Alice and Bob are both using the same router with the same firmware version, then both of their routers have the same SSL keys. All Eve needs to do in order to decrypt their traffic is to download the firmware from the vendor's Web site and extract the SSL private key from the firmware image.

The difficulty in determining precisely which firmware version a device is using makes this attack impractical to execute. However, as reported by Embedded Device Hacking, a project known as "LittleBlackBox" --a growing database of known SSL private keys that have been correlated to their corresponding public certificates as well as the firmware known to use them--is proving that this vulnerability could become significantly more exploitable over time.