The recent publishing of a database containing over 2,000 private SSL keys hard-coded into various routers – with their corresponding public certificates and hardware/firmware versions – has made an attack that involves decrypting the traffic going through the device very easy to execute.
“While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear,” says Craig Heffner, a member of the /dev/ttyS0 group that is behind this project called LittleBlackBox.
“Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device’s firmware. Private keys can be recovered by supplying LittleBlackBox with the corresponding public key. If the public key is not readily available, LittleBlackBox can retrieve the public certificate from a pcap file, live traffic capture, or by directly querying the target host,” he wrote, and offered the LittleBlackBox’s code for download.
This action by the /dev/ttyS0 group might spur some people into labeling it irresponsible and insist that it will mostly aid individuals with malicious intentions – much as the release of Firesheep.
But others might be of the opinion that embedded certificates and passwords (see Stuxnet‘s use of a hard-coded password for accessing databases used by Siemens’ SCADA systems) should become a matter of the past, and hail this project as a way of demonstrating the inherent insecurity of the practice. It is not a coincidence that the LittleBlackBox project was presented on the Full Disclosure mailing list.