September 8, 2016 By Douglas Bonderud 2 min read

Share and share alike, right? Not when it comes to private keys for internet-connected smart devices, such as gateways, routers, modems and embedded IoT tools. According to Infosecurity Magazine, however, new research from SEC Consult found that sharing of nonunique crypto keys is up 40 percent over the last nine months, putting 4.5 million devices at risk.

The security firm released all of its research data, including all 331 HTTPS certificates, 553 private keys and the names of products using them. In doing so, it hopes to spur industry adjustment before cybercriminals leverage crypto reuse to cause real problems.

Sharing of Crypto Keys Is Nothing New

SEC’s research is a rehash of the same study from a year ago, which also warned companies about this problem, Threatpost reported. Instead of a positive change, however, researchers found even more devices at risk.

“There are many explanations for this development,” said senior security consultant Stefan Viehböck, as quoted by Threatpost. “The inability of vendors to provide patches for security vulnerabilities, including, but not limited to, legacy/[end of life] products, might be a significant factor.”

In addition, available patches are rarely applied to firmware, while a lack of WAN firewalling and the sharp rise of IoT-enabled products in the workplace also contribute to the huge number of crypto keys needed. That explains why it’s often easier for companies to simply use the default key rather than generate a unique one for each device.

“The attack surface is only broadening, with millions more devices being added daily,” Kevin Bocek of security firm Venafi told Infosecurity Magazine. What’s more, the rise of agile DevOps is putting pressure on developers to push out devices and software at a breakneck pace. That’s not ideal, since IT security always suffers when speed is the primary objective.

More Serious Threats on the Horizon

While the reuse of crypto keys certainly isn’t good news, what’s the real worry for companies? Sure, SEC Consult’s release of the data makes things more difficult, since enterprises need to make sure they’re not impacted. As the security firm pointed out, however, it was only a matter of time until cybercriminals conducted the same kind of research and discovered ways to launch man-in-the-middle (MitM) attacks.

Ars Technica noted that there are other threats on the horizon. Consider the Rowhammer exploit, which makes it possible to flip individual bits in computer memory. Until recently, Rowhammer was little more than proof-of-concept, since it wasn’t particularly useful in the wild. Now, researchers have created a variant called Flip Feng Shui, which manipulates deduplication procedures often used by cloud hosts to discover where crypto keys are stored.

Combined with SEC’s findings, this has the makings of a real problem: If attackers use Rowhammer to get their hands on a shared crypto key, suddenly they’ll have access to a host of corporate routers, modems and other network infrastructure.

Every connected device needs its own unique crypto signature. Choosing communal access, meanwhile, effectively starts a countdown: By brute force or feng shui, malicious actors will find shared keys and use them to open every connected lock they can find.

More from

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today