Encryption Keys Hard Coded In IoT Devices

Researchers from the security firm SEC Consult did a little research.  They reverse engineered a number of routers, IP cameras, VoIP phones and other embedded devices.

They discovered two things:

  1. Manufacturers seem to have a bad habit of hard coding secret encryption keys inside the firmware of their Internet of Things devices.
  2. Manufacturers of IoT devices do not understand the world of software or secure software development.

As a user of IoT devices, this means that until they do understand security (if they ever do), you are going to have to protect yourself.

The researchers looked at the firmware inside over 4,000 different IoT devices and found over 580 different “secret” encryption keys in these devices.  These keys allow someone – anyone – to establish an encrypted session with the device.  It might be a web session or it might be a different Internet protocol such as SSH.

The problem is that IF the researchers were able to find the keys, so could the bad guys or hostile governments or … you name it.

Going back to these 580 keys that the researchers found.  They then correlated those keys to devices actually on the Internet.  230 of those keys controlled over 4 million Internet connected devices.

If you have those keys, you can pretend that you are the devices.  You can decrypt traffic.  You can, ultimately, with a little work, take over the device.  If you can take over the device, you can take over the network that the device is on – like your home network or your business network.

All this because the manufacturers reuse secret keys.  Kind of like when you use the same password on Facebook and email – only 4 million times worse.

Read the article if you want more details, but hopefully, you get the general idea.

So what do you do?  Luckily, unlike yesterday’s post, there are actually simple, concrete things that you can do.

  1. DO NOT connect your <pick a device> to the Internet.  Do you REALLY need to web surf on your refrigerator.  If it is not connected, it cannot be easily hacked.
  2. For some things, they are not very useful if they are not connected.  For example, if you have a burglar alarm that calls the police over an Internet connection, then not connecting it is not an option.  In those cases, you do need to connect them
  3. IF you have the option, isolate IoT devices from the rest of the network.  For businesses with fancy firewalls, you can segment those devices into a zone of their own.  At home you may have cable Internet.  Buy a DSL connection from the phone company for $15 a month and put all your IoT devices on that slow DSL connection.  They likely don’t care.  You can’t do the firewall trick that businesses do because unlike the expensive business firewall, even though it says in the manual that it has a DMZ, it doesn’t really.  They are lying.  They have a function that sorta kinda acts like a DMZ, but just like in the TV commercial, sorta kinda isn’t the same thing.
  4. Inventory your connected IoT devices.  You may have a baby monitor, a security camera, a Ring (R) doorbell and a smart TV.  Do you even realize how many IoT devices you have on your network?
  5. Log on to each device and attempt to disable as many unneeded services as possible.  Don’t fool yourself into thinking this is perfect – it is not.  But, in this case, less is better.

And finally, if you have a geek friend, buy your friend dinner and ask him or her to look at things and make some suggestions.  It is likely a cheap dinner.

Just sayin’.

Information for this post came from Infoworld.

Leave a Reply

Your email address will not be published. Required fields are marked *