Nine months after researchers revealed that millions of devices are exposed to cyberattacks due to the reuse of cryptographic keys in their firmware, the number of impacted systems has increased considerably.
In November 2015, security firm SEC Consult reported finding a fairly small number of cryptographic secrets, including private keys and certificates, used across more than 4,000 embedded devices from over 70 vendors. The list of affected products includes modems, IP cameras, routers, gateways and VoIP phones.
Experts identified 580 unique keys, including roughly 80 SSH host keys used by nearly one million hosts and approximately 150 server certificates used by 3.2 million hosts (9% of the total) for HTTPS. They warned that attackers could leverage the shared keys to launch man-in-the-middle (MitM), impersonation and passive decryption attacks.
In a follow-up blog post published on Tuesday, SEC Consult reported that the number of devices using these shared private keys for HTTPS server certificates has increased by 40 percent to 4.5 million. The company is still in the process of obtaining information on the use of SSH host keys.
“The inability of vendors to provide patches for security vulnerabilities including but not limited to legacy/EoL products might be a significant factor, but even when patches are available, embedded systems are rarely patched. Insufficient firewalling of devices on the WAN side (by users, but also ISPs in case of ISP-supplied customer premises equipment, CPE) and the trend of IoT-enabled products are surely a factor as well,” SEC Consult explained.
The company has decided to release 331 certificates and 553 unique private keys uncovered during its research, along with the names of the products that use them. The goal is to allow others to reproduce the results of the study, find additional crypto key reuse cases, and aid the development of tools for detecting and exploiting such vulnerabilities.
Some might argue that releasing the keys is beneficial for malicious actors, but the security firm noted that attackers could easily reproduce the research and obtain the private keys themselves.
SEC Consult turned to CERT/CC for help in notifying affected vendors. According to CERT/CC’s advisory, only a few vendors confirmed being impacted and even those in many cases decided not to address the issue. Cisco, for instance, admitted that many of its products are exposed to MitM attacks due to certificate and key reuse, but the networking giant argued that such attacks are not easy to conduct.
Another affected vendor is HPE-owned networking company Aruba, which has used a GeoTrust-issued certificate that is valid until August 2017. The certificate in question is part of ArubaOS and it’s present on nearly 50,000 Internet-accessible devices. The certificate is also found in the firmware of a product from Alcatel-Lucent, to which Aruba provides OEM equipment.
This is a noteworthy case since unlike most other certificates found by SEC Consult, this one is signed by a browser-trusted certificate authority and it’s used not only for HTTPS but also for WPA2-Enterprise 801.X authentication.
“This allows attackers to do all kinds of nasty MITM attacks (active/passive HTTPS decryption, rogue access points, etc.),” SEC Consult warned.
Aruba has known about the issue since May 2015, and while the company has promised to migrate to device-specific self-signed certificates, it has decided not to revoke the problematic certificate.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
Latest News
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder
- Cyber Insights 2023 | Zero Trust and Identity and Access Management
- Cyber Insights 2023 | The Coming of Web3
- European Police Arrest 42 After Cracking Covert App
- Florida Hospital Cancels Procedures, Diverts Patients Following Cyberattack
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
