Share and share alike, right? Not when it comes to private keys for internet-connected smart devices, such as gateways, routers, modems and embedded IoT tools. According to Infosecurity Magazine, however, new research from SEC Consult found that sharing of nonunique crypto keys is up 40 percent over the last nine months, putting 4.5 million devices at risk.

The security firm released all of its research data, including all 331 HTTPS certificates, 553 private keys and the names of products using them. In doing so, it hopes to spur industry adjustment before cybercriminals leverage crypto reuse to cause real problems.

Sharing of Crypto Keys Is Nothing New

SEC’s research is a rehash of the same study from a year ago, which also warned companies about this problem, Threatpost reported. Instead of a positive change, however, researchers found even more devices at risk.

“There are many explanations for this development,” said senior security consultant Stefan Viehböck, as quoted by Threatpost. “The inability of vendors to provide patches for security vulnerabilities, including, but not limited to, legacy/[end of life] products, might be a significant factor.”

In addition, available patches are rarely applied to firmware, while a lack of WAN firewalling and the sharp rise of IoT-enabled products in the workplace also contribute to the huge number of crypto keys needed. That explains why it’s often easier for companies to simply use the default key rather than generate a unique one for each device.

“The attack surface is only broadening, with millions more devices being added daily,” Kevin Bocek of security firm Venafi told Infosecurity Magazine. What’s more, the rise of agile DevOps is putting pressure on developers to push out devices and software at a breakneck pace. That’s not ideal, since IT security always suffers when speed is the primary objective.

More Serious Threats on the Horizon

While the reuse of crypto keys certainly isn’t good news, what’s the real worry for companies? Sure, SEC Consult’s release of the data makes things more difficult, since enterprises need to make sure they’re not impacted. As the security firm pointed out, however, it was only a matter of time until cybercriminals conducted the same kind of research and discovered ways to launch man-in-the-middle (MitM) attacks.

Ars Technica noted that there are other threats on the horizon. Consider the Rowhammer exploit, which makes it possible to flip individual bits in computer memory. Until recently, Rowhammer was little more than proof-of-concept, since it wasn’t particularly useful in the wild. Now, researchers have created a variant called Flip Feng Shui, which manipulates deduplication procedures often used by cloud hosts to discover where crypto keys are stored.

Combined with SEC’s findings, this has the makings of a real problem: If attackers use Rowhammer to get their hands on a shared crypto key, suddenly they’ll have access to a host of corporate routers, modems and other network infrastructure.

Every connected device needs its own unique crypto signature. Choosing communal access, meanwhile, effectively starts a countdown: By brute force or feng shui, malicious actors will find shared keys and use them to open every connected lock they can find.