Categories

Breaking SSL on embedded devices

Posted on Tuesday, December 28th, 2010 in hacks, reversed, security, utilities by the machinegeek

Developers use embedded devices all the time, often without implementing security measures. When they do, they often rely on SSL. As revealed by the LittleBlackBox project there exists a collection of thousands of private SSL keys extracted from various embedded devices. These private keys are stored in a database where they are correlated with their public SSL certificates as well as the hardware/firmware that are known to use those SSL keys.

As summarized by Embedded Device Hacking, “That means that if Alice and Bob are both using the same router with the same firmware version, then both of their routers have the same SSL keys. All Eve needs to do in order to decrypt their traffic is to download the firmware from the vendor’s Web site and extract the SSL private key from the firmware image.”

Interesting.

This entry was posted on Tuesday, December 28th, 2010 at 4:04 pm and is filed under hacks, reversed, security, utilities. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

One Response to “Breaking SSL on embedded devices”

  1. Conversely, all Eve needs to do is download an open source firmware and compile in a newly-created SSL private key. Then Bob has no hope of spying on Eve.

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Recent Comments