If you thought IoT security was already bad ...

Subject: General Tech | September 7, 2016 - 12:25 PM |
Tagged: iot, security, ssh, idiots

The research that SEC Consult has conducted shows that almost half of all IoT devices, from your router straight through to devices in hospitals and factories use public SSH host keys and X.509 certificates.  Since these keys are known far and wide it is depressingly easy to break the encryption on any communications from these devices and harvest passwords and other data or even to change the contents of that package on the fly.  Imagine a heart monitor which reports a strong heartbeat long after the patient has died or a large machine in a power plant being given different readings to allow it to exceed safety margins and destroy itself.  This is only getting worse, as many companies creating these IoT devices are either trying to save money by using packaged software or in some cases are totally ignorant of the effect of reusing keys.

If you can, change your keys to be device specific and isolate them on your network.  As The Register unhappily points out, this is not something your average consumer or purchasing department is aware of, let alone proficient enough to change keys on their devices.

289B6CBB00000578-3079152-image-m-10_1431495618447.jpg

"Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer