Over 250,000 home routers sport same SSH keys, warns researcher

With a simple search, John Matherly, the creator of Shodan, has discovered with it more than 250,000 routers that share the same SSH key, meaning they also share the same private key. An attacker could access and hijack them if the devices are configured to allow remote access and authentication.

According to Matherly, who checked out their IP addresses, these particular devices are home routers deployed by Telefonica de Espana, and sport Dropbear SSH instances.

Secure Shell (SSH) is typically used to log into a remote machine and execute commands, and is usually very rarely used by home users. Nevertheless, these devices are equipped with it.

“It appears that some of [Telefonica de Espana’s] networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices,” Matherly posited.

It could also be that the Spanish ISP has also used the same image with the same settings on all of the devices and forgot to configure SSH and create a new pair of encryption keys for each.

This is not only this ISP’s or manufacturer’s problem. Matherly inputed several other (supposedly) unique fingerprints (shorter versions of a device’s public key) into Shodan, and repeatedly received unfortunate results: “The next duplicated fingerprint on the list comes in at around 200,000 devices, followed by another one used by 150,000 devices.”

He also shared a list of 1,000 duplicated SSH fingerprints on the Internet for other researchers to unearth security issues.

Matherly notes that these results point to “systemic issues that plague both hardware manufacturers as well as ISPs/ hosting providers.”