Research by information security consultancy SEC Consult has revealed worrying vulnerabilities in network devices such as routers and switches; plus poor encryption key management.
The problem is industry-wide, SEC Consult said, having discovered that more than 900 products from around 50 well-known device vendors are vulnerable.
- The significance of potential network devices’ security vulnerabilities
- The hidden costs of software dependent devices
- Highlights why encryption must be separated from network devices
Once again, we are hearing how data network routers and switches are highly vulnerable to data breaches. Even devices with added encryption blades have proven to have serious security vulnerabilities; despite the faith network vendors place in the router and switch manufacturers.
Additionally, the Encryption Key Management referred to by SEC Consult is ‘poor security practice’. Today, customers and network vendors must adopt best-of-breed encryption to both provide effective and robust security whilst maximising network performance.
Digital key reuse leaves millions of network devices vulnerable
Network vendors are reusing digital certificates and keys used to authenticate users for logins, researchers have found.
Security vendor SEC Consult conducted internet-wide scans and analysis of over 4000 embedded device firmwares, from over 70 vendors, running internet gateways, routers, modems, network cameras, voice over IP phones and others. It discovered that its data set of 580 private keys were reused by around 3.2 million systems on the internet, offering HTTPS security in approximately 150 server certificates. A further 80 secure shell private keys were found on 0.9 million hosts.
The use of static credentials in firmware open up the devices to silent man-in-the-middle (MITM) data interception attacks, rendering hundreds of devices vulnerable. According to SEC Consult’s scans, telco incumbent Telstra has left the secure shell (SSH) interface exposed to the internet on more than 26,000 Cisco devices. The vendor has confirmed the vulnerability.
A total of 25 Cisco network products are affected by the vulnerability with no software/firmware fix or workaround available, the vendor said.
SEC Consult said the firmware keys are often shared between different vendors and appear to have come from the software development kit used to create the device management utilities. Over a million Huawei-made devices on Mexican telco TelMex’s network are vulnerable to data interception attacks, SEC Consult noted, along with hundreds of thousands others in the United States, Brazil, Spain, Colombia, Canada, China, Russia, Taiwan and the UK.
The problem is industry-wide, SEC Consult said, having discovered that more than 900 products from around 50 well-known device vendors are vulnerable. SEC Consult recommended vendors make sure their devices use random, unique cryptographic keys that are computed in the factory or when the system first boots up. Vendors should also deliver fixed firmware and remove static SSL/SSH keys.
Internet providers should make sure that remote access via the internet to customer premises equipment is not possible; this should only be done via a dedicated virtual local area network (VLAN) with strict access controls. No communication between customer premises equipment should be permitted, the security vendor suggested.
Senetas high-assurance security comments
The use of routers and switches in any data network as security devices are simply ‘traps for the trusting’. They are not effective security devices, they do not function to an accepted security standard and often adversely affect network performance at high costs to customers.
Although we’ve heard similar revelations in the past, what makes this news different is that SEC Consult’s findings are the result of actual network scanning research.
When we talk about best-of-breed network security, what do we mean? Well, there are three essential components:
- Separation of responsibilities – the security devices must exclusively perform encryption security functions and not be accessible at any point.
- Robust encryption – standards based and certified and end-to-end network encryption.
- Best practice Encryption Key Management – what some refer to as ‘unbreakable encryption’ where only the customer has access to its encryption keys. (Neither the network vendor nor any third party service provider (e.g. Cloud) can access the encrypted keys.)
The discovery that more than 900 network devices from well-known vendors are vulnerable highlights the importance of purpose built, best-of-breed encryption security hardware. Only with such end-to-end encryption can customers be sure that router and switch vulnerabilities will not lead to serious breaches of privacy, loss of intellectual property or financial penalties.