Digital technology has opened a world of solutions for small businesses by delivering increased levels of efficiency across the board. But it has also introduced threats to which they had never been previously exposed.
A study recently released by SEC Consult, an international provider of application security services and information security consultancy, has revealed at least one such new threat. SEC Consult reported recently that a practice of sharing the same HTTPS server certificates and Secure Shell Host (SSH) keys has put a number of small businesses at risk. This is after many were told changing from HTTP to HTTPS would provide better security for their websites.
A Brief Explanation of HTTPS
Hyper Text Transfer Protocol Secure (HTTPS) encrypts and decrypts user page requests to protect against eavesdropping and man-in-the-middle attacks. Because communications sent over regular HTTP connections are in ‘plain text’, they can be read by hackers while the messages are traveling between your browser and the website. With HTTPS, the communication is encrypted and the hacker can’t break into the connection.
That is how it is supposed to work, but if the HTTPS certificate and SSH keys are shared by using the same ones over and over, eventually someone could figure it out and read the communications.
SEC Consult analyzed the firmware of more than 4,000 embedded devices from 70 vendors by looking at the cryptographic keys, which included routers, modems, IP cameras, VoIP phones, network storage devices, Internet gateways and more. There were public and private keys as well as certificates in the firmware images.
The company exposed more than 580 unique private keys from the devices that were singled out. The researchers then correlated the keys from scans that were publicly available on the Internet, which led them to discover 150 certificates for 3.2 million HTTPS hosts. That translates to nine percent of all HTTPS hosts on the Web. The researchers further discovered 80 SSH host keys, or more than six percent of all secure shell hosts on the Web totaling 0.9 million hosts.
That comes out to at least 230 keys that are being actively used by more than 4 million devices. With so many devices, it should not come as a surprise some of the leading hardware manufactures in the world are affected by this glitch.
Some of the companies identified included Alcatel-Lucent, Cisco, General Electric (GE), Huawei, Motorola, Netgear, Seagate, Vodafone, Western Digital and many others, the report says.
Since this is on the hardware side of the products, vendors have to implement the fixes. According to Forbes, six vendors — Cisco, ZTE, ZyXEL, Technicolor, TrendNet and Unify — have confirmed fixes are coming. But this leaves very few options for small businesses that are using the affected devices. All they can do is wait for a patch from the company that made the product.
Some devices don’t allow the keys and certificates to be changed, which further complicates matters. SEC Consult said it will release all identified certificates and private keys shortly. In the meantime, you can go to the company’s site and read the report and find out if your small business is using a product from the list of companies.
https Photo via Shutterstock