A security company looking to raise awareness of a glaring security flaw has published encryption keys hard-coded into embedded devices connected to the internet on GitHub.
Singapore-based SEC Consult published a report highlighting the flaw nine months ago, but has found more insecure devices connected to the internet than ever before. Attempts to alert the companies to the poor security practices were seemingly ignored.
The number of devices on the web using known private keys for HTTPS server certificates has gone up by 40 per cent in the nine months since the original report, the company claimed.
This follows an awareness campaign run by SEC Consult to inform 50 or so vendors and ISPs of the growing security problem.
"There are many explanations for this development. The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/end-of-life products might be a significant factor, but even when patches are available embedded systems are rarely patched," the company said in a blog post.
"Insufficient firewalling of devices on the wide-area network side (not just by users, but by ISPs in case of ISP-supplied customer premises equipment), and the trend of IoT-enabled products, are surely factors as well."
SEC-Consult has now released the raw data on GitHub in a bid to persuade device makers and their customers of the dangers of connecting them to the internet.
"The data we are publishing consists of 331 certificates, including the matching private key, as well as 553 individual private keys. We've also included the names of products that contain the certificates/keys," the company warned.
"Cryptographic keys that were not found in an internet-wide scan data (Scans.io and Censys.io, HTTPS/SSH) are included as well.
"The data we are publishing allows researchers to reproduce the results of our study, find more cases or cryptographic key reuse, attribute cryptographic keys to specific vendors/products, and to develop tools for detecting and exploiting this vulnerability class in the course of penetration tests."
SEC Consult explained that it did not take the decision to release the sensitive data lightly.
"It allows global adversaries to exploit this vulnerability class on a large scale. We think that any determined attacker can repeat our research and get the private keys from publicly available firmware with ease," the company said.
Are you paying attention?
Private equity firm Permira only acquired Magento from eBay for $200m three years ago
Before robots can take over from humans, we need more humans
It's not easy not being evil