back to article Here's a great idea: Why don't we hardcode the same private key into all our smart home hubs?

Smart home company Zipato hardcoded the same private SSH key into every one of its hubs, leaving its system open to hacking, researchers revealed this week. The eggheads at security shop Black Marble demonstrated in a blog post how that flaw, combined with two related vulnerabilities, allows them to access the hub and devices …

  1. TonyJ Silver badge

    I am genuinely staggered that this kind of shit still happens.

    1. Duncan Macdonald Silver badge
      Unhappy

      Unfortunately I am not staggered

      All too many companies outsource software development to the cheapest sweatshop that they can find - and a coder in India making less per day than a burger flipper makes per hour in the West has very little incentive to produce good code.

      1. Anonymous Coward
        Anonymous Coward

        Re: Unfortunately I am not staggered

        It's pretty prejudiced that you don't seem to think that a Western coder making a decent wage is incapable of fucking things up to this extent. I personally know loads of devs, who could screw up even worse than this!

      2. batfink Bronze badge

        Re: Unfortunately I am not staggered

        If that key was in a folder called \etc\dropbear, I'd guess at an underpaid Aussie developer rather than an underpaid Indian one...

        1. This post has been deleted by its author

        2. Anonymous South African Coward Silver badge

          The drop-bear...

          appeared in the '/etc/dropbear/' folder and was called 'dropbear_rsa_host_key.'

          Is this a reference to "The Last Continent" by Pterry? Or was it an Aussie coder (as the previous poster implied)?

          1. Adrian 4 Silver badge

            Re: The drop-bear...

            I thought it was a reference to the upside-down slashes. But I see that was an invention of the commentard.

        3. Jamie Jones Silver badge

          Re: Unfortunately I am not staggered

          No, dropbear is the name of the ssh daemon, and /etc/dropbear is the default config directory.

          Now, "dropbear" https://matt.ucc.asn.au/dropbear/dropbear.html was written by an Aussie, but that says nothing about the hub.

        4. Richocet

          Re: Unfortunately I am not staggered

          Being based in Australia - it would be an Indian developer working in Australia on a temporary working visa. There are almost no Australians employed as developers here.

      3. jgarbo
        Holmes

        Re: Unfortunately I am not staggered

        This is not bad code, it's bad policy, therefore the blame/responsibility falls on the owner/manager of the operation, not the Indian on three chapatis a day. The US white men were lazy or stupid or both.

    2. sanmigueelbeer Silver badge

      I am genuinely staggered that this kind of shit still happens.

      If Cisco can do, so can the little guys.

    3. Anonymous Coward
      Anonymous Coward

      "I am genuinely staggered that this kind of shit still happens."

      How can we mass produce these devices?

      Well...we could just clone the file system. Whats the worst that could happen?

    4. Anonymous Coward
      Anonymous Coward

      I'm not, when they said "IoT" was the future this was the future I imagined. What till AI/ML get in everything, we'll be right back to square one because who wants to secure something when you are creating it? Security is then an afterthought that costs money.

      1. Richocet

        It's exactly what I imagined when IOT became a fad 5 years or so ago.

        I have learned to keep my thoughts to myself though as I can be perceived as too negative.

        1. MatsSvensson

          Its a security experts job to be perceived as negative by noobs.

          And to take notes about people complaining, and file them under "security risk"

    5. Tigra 07 Silver badge
      Facepalm

      RE: TonyJ

      "I am genuinely staggered that this kind of shit still happens."

      I'm genuinely not. People need to stop buying this crap, while the security is an afterthought. Car security for keyless entry to Jaguar Land Rover vehicles has been shit for over 10 years and yet people still buy them too. It's been common for people to turn up with cheap Ebay equipment to airport car parks and unlock hordes of cars with a transmitter and a signal from said equipment, yet people keep buying the cars... >>INSERT WTF GIF HERE<<

      Related disclosure: I have a friend who lives in a rather nice area and her partner has had 2 Land Rover Discoveries stolen from outside their house. Their next vehicle to replace it - Yep! A Land Rover Discovery. Some people don't learn.

      1. cosymart
        Happy

        Re: RE: TonyJ

        The car replacement is probably an insurance thing - replace like for like?

        1. Rich 11 Silver badge

          Re: Like for like?

          You mean replace 'easily stolen' with 'easily stolen'? I expect that insurance company will cotton on eventually -- and raise its premiums.

          1. Anonymous Coward
            Anonymous Coward

            Re: Like for like?

            "I expect that insurance company will cotton on eventually -- and raise its premiums."

            Or, as they did in London last year - refuse to insure it unless extra security measures were installed.

      2. simonlb

        Re: RE: TonyJ

        I understand people liking the keyless entry thing as a convenience, but when the security hardening for it is non-existent then it's a convenience I'd rather do without.

        1. Huw D Silver badge

          Re: RE: TonyJ

          "I understand people liking the keyless entry thing as a convenience"

          Every IoT thing under the sun is "a convenience". That's the problem. People would rather be lazy than secure.

          1. BrownishMonstr

            Re: RE: TonyJ

            Yep, totally being lazy.

            Has absolutely nothing to do with being disabled/frail/injured and wanting some sort of independence.

            1. Fred Dibnah Silver badge

              Re: RE: TonyJ

              Being disabled/frail/injured shouldn’t mean that your security has to be compromised.

              1. BrownishMonstr

                Re: RE: TonyJ

                I was replying to Huw D's comment saying people are being lazy.

                Not everyone is lazy, for some people using IOT devices might be a temporary/permanent necessity.

                1. Huw D Silver badge

                  Re: RE: TonyJ

                  I see your point Mr Monstr, but IoT is not marketed as an aid for people with impairments. IoT is marketed as convenience. I can see IoT being a quick fix for some people, but the people I know with long term disbilities are more likely to use a tried and trusted approach.

                  If you're going to be permanently in a wheelchair, do you a) pay for the light switches in your house to be moved to a lower level or b) get someone to fit a smart hub and some bulbs? You're more likely to go for option a) because there's going to need to be a metric fuck-tonne of work required for everything else as well.

            2. Huw D Silver badge

              Re: RE: TonyJ

              The solutions for people with disabilities/impairments have been there for years and don't require an IoT device.

              1. Is It Me Bronze badge

                Re: RE: TonyJ

                But the IoT devices make it much easier for people to get assistance, in that most of the people on here could now set up something with COTS IoT parts for a friend or relative.

                In the past you would have needed to call in a specialist company and the kit was significantly more expensive.

                1. ibmalone Silver badge

                  Re: RE: TonyJ

                  While this seems like a good idea, it's a road down which people who need assistance have to put up with compromised security (because why should they receive support to have things done properly when they can be done cheaply?), while the rest of us get to have a choice. When viewed from that angle it seems less enabling.

                  As usual, there's a sliding scale, not everyone who needs adaptations to help with everyday living needs their whole home modified. And some of this technology can help, but it needs to be secure for all our sakes. Which is where lazy (using something assistive to make life easier for whatever reason) is being conflated with lazy (consumers being averse to the small additional amount of effort to set up properly secure devices).

        2. mikepren

          Re: RE: TonyJ

          Convenient for car thieves

        3. RFC822

          Re: RE: TonyJ

          You are always going to be somewhere in the Security/Convenience/Cost triangle - you can minimise any two, but only at the expense of the third.

          I understand that the latest generation of keyless entry key fobs only transmit when movement is detected, so they are relatively immune to the amplified relay attack, especially when the keys are left on the hall table overnight. No doubt it won't take the bad guys very long to discover a new way to steal cars, though.

        4. hoola Bronze badge

          Re: RE: TonyJ

          Too many people simply don't give a stuff about security of any electronic devices (that includes cars). All security is an inconvenience and computer/phone/car security even more so because it is so easily bypassed.

          The manufactures of all this crap are equally to blame because the only things left to differentiate one boring thing from another is software features that add little (no!) value.

          Why the hell a car needs to be keyless entry just defeats me. For most is it the next most valuable piece of property (or the bank's) after their home. But then I supposed the same people put electronic locks on their doors because getting the key out whilst clutching their phone and takeaway is too difficult.

          1. 96percentchimp

            Consumers assume that their purchases will be secure

            Consumers (i.e. not Reg readers) assume that when they buy something that says it's secure, it will be secure. They don't expect to have to understand every nuance of the technology. And they don't take additional steps to enforce it because (a) they don't know where to start and (b) most people assume the world of sales and marketing isn't full of lying, cheating arseholes, despite all evidence to the contrary.

            The problem is that there's no regulatory environment to enforce their assumption. We should be passing laws (like California) to ensure a minimum level of security and establish a regulatory authority to enforce it (or task an existing regulator, while giving it sufficient resources to do so). Instead, we're wasting time on Brexit, endlessly, and so failing to tackle this and a thousand other more pressing problems.

    6. Lee D Silver badge

      I have to say that I'm not at all surprised.

      If I *did* ever desire this kind of useless home automation, I'd do it with a proper access control system. If I desperately needed voice control, etc. that's not available, I'd interface to that access control via one of the many Open Source home automation things, that work offline, without DRM or centralised control, and off my own hardware (so you can limit this sort of thing to a closed-off VLAN).

      The commodity nature of this trash is what's making it insecure. "Plug n Play" is just another phrase for "Anyone can do stupid stuff".

      Honestly, I'd rather manage a bunch of Raspberry Pis with some interface circuitry and do it myself. The management burden would be huge but a lot less to worry about in the end that putting this stuff on my Wifi / Ethernet networks.

    7. unimaginative

      its easy. If you do not have distinct keys you can just use a single image that you use on each device, and that is it.

      Otherwise you need to have some sort of set up process that sets up keys (and passwords) and records them.

      1. Richard 12 Silver badge

        A lot of microcontrollers and almost all microprocessors have a built-in unique serial number which could be hashed.

        Any platform capable of running dropbear has user-writable persistent storage that can be used to save an initial one-time-setup key.

        So yes, it's pure laziness.

  2. Blockchain commentard Silver badge

    Smart home controlled by a stupid hub. How iften are we going to hear this over the next few years?

    1. sitta_europea Bronze badge

      "Smart home controlled by a stupid hub. How iften are we going to hear this over the next few years?"

      We just need to stop using two words:

      1. Smart.

      2. Secure.

  3. Anonymous Coward
    Anonymous Coward

    Not just IoShit

    A few years ago a large enterprise security vendor also shipped SW / appliances with duplicate SSH keys.

    It will happen again - SSH security hardening is not part of the mindset when developing new version of software.

    1. It's just me
      Linux

      Re: Not just IoShit

      I discovered the same problem in an open-source intrusion detection system distribution a year or two back as well. Every installation from the ISO they provided would include the same SSH private key. I notified the author and in less then a day they had a new ISO posted with a modified installer that generated a new key during installation.

  4. adam payne Silver badge

    he company has put out a software update that should fix the API holes and has scrapped the single hardcoded SSH private key.

    How are they contacting people who have purchased their dodgy boxes?

    How many of their boxes will remain unpatched as the people using them don't know about the patch?

    1. BebopWeBop Silver badge
      Thumb Down

      Two word answer - 'aren't and most' I suspect

      1. keith_w

        'aren't and most'

        That would be 3 words by my count.

    2. mj.jam
      Joke

      They don't need to contact them. They can just SSH in using their backdoor and upgrade them.

    3. DropBear Silver badge

      In general terms, without any claim of knowing the specific circumstances here, the very first thing absolutely all of these boxes do is either nag or outright compel you into registering with their cloud. Once they have the associated email, it's really up to them whether they feel like contacting you (or just throwing up an "uh-oh, must update right now!" page instead of your regular one at your next login).

      As a side note, they can also very well do that without any registration at all, much as Firefox or any software can - simply by having the hub call home and check for updates whether you asked it to or not. But make no mistake, they usually prefer to have you registered nonetheless...

    4. the Jim bloke Silver badge
      Gimp

      Re: How are they contacting people who have purchased their dodgy boxes?

      They walk into their houses and leave a note on their pillows ??

  5. simonlb
    Thumb Down

    Still no, and for two main reasons

    Until there is an industry standard protocol for this IoT stuff to conform to, along with a full, independent certification and rating system which covers all aspects of the various devices' operation with explicit attention focused on security, I am not interested. Leaving this to the individual vendor to figure it out is not even an option. Having an agreed protocol to cover these things also - in theory - means you can mix'n'match stuff from different vendors with minimum fuss, as well as potentially reducing the need for updates to be pushed out to the devices.

    Mind you, tying yourself into one vendors kit still leaves you open to subsequent abuse from them when they decide one or all of your current devices are no longer going to be supported by them after a certain date, meaning you have to replace them. And that is not cheap.

    1. DropBear Silver badge
      Alert

      Re: Still no, and for two main reasons

      Not that I disagree, but it should be noted that in this _specific_ case we're talking about z-wave devices, which is a globally interoperable standard. So even if everything you bought is branded "Zipato", you're free to chuck out just that hub at any moment for any reason and simply start using any competing manufacturer's hub (or even roll your own based on open source software, a Raspberry Pi / Orange Pi / whatever and a USB z-wave dongle) and pick up pretty much exactly* where you left off.

      *yes there will be minor advantages in integration with a manufacturer's own kit, but no functionality of significance is supposed to be lost by switching to anything else. As with everything else in practice, ultimately the devil is always in the details - when in doubt, ask first...

      1. simonlb

        Re: Still no, and for two main reasons

        That's a good point and to be honest I don't actually have an issue regarding the functionality and interoperability of these devices and their respective hubs themselves. What I do believe is sorely needed is for it all to be encapsulated within an inherently secure and robust protocol so that the hard part - the security - is already done for you and neither the vendors or end users then need to be concerned about enforcing security as it is already there.

        As it stands the obvious lack of concern around security in these devices from the vendors makes this a non-starter for me.

      2. Anonymous Coward
        Anonymous Coward

        Re: Still no, and for two main reasons

        > z-wave devices, which is a globally interoperable standard

        ... that is proprietary and has been hacked before.

  6. s2bu

    Host Key != User Private Key

    The article says:

    "The key was extracted by simply imaging the hub's SD card: in appeared in the '/etc/dropbear/' folder and was called 'dropbear_rsa_host_key.'"

    dropbear_rsa_host_key is just that, a HOST key. While sharing host keys is frowned upon as it can open up MITM attacks, it is NOT the same as a user private key can that be used to login to something!

    That part of the article doesn't make sense!

    1. mj.jam

      Re: Host Key != User Private Key

      Because they also added it as an authorised key, allowing anybody with the corresponding private key to connect.

      Reusing the key they were connecting out with is bizarre

    2. Anonymous Coward
      Anonymous Coward

      Re: Host Key != User Private Key

      I was also a little confused, but it turns out that in SSH, you can use a private/public key pair to log in instead of a password, if the key is authorized.

      They used the same private key on all devices.

      This same private key is also authorized for remote logins.

      Conclusion: The private key on my device can log into your device.

      It's like default passwords.

      1. I.Geller Bronze badge

        Re: Host Key != User Private Key

        AI answers questions, right? But it can also ask questions, matching them to the answers in its AI database. AI is a unique User Private Key.

      2. s2bu

        Re: Host Key != User Private Key

        That’s a user key, not a host key!

        1. Bronek Kozicki Silver badge

          Re: Host Key != User Private Key

          Yes I was confused by that too, but it appears they reused that same private key for both purposes.

        2. I.Geller Bronze badge

          Re: Host Key != User Private Key

          What's the difference? Both receive unique AI databases. Absolutely unique! Which identifies you by itself, into an automatic mode, for instance asking questions. And your status remains in this database, which is also a blockchain database, i.e. cannot be faked in no way.

          Sorry I cannot demonstrate and sell this miracle... Only patents.

  7. Pascal Monett Silver badge

    "smart home product manufacturing 101"

    Currently, the "smart" home product manufacturing 101 manual is as follows :

    1) Find some everyday thing and make it more complicated, and need batteries

    2) Definitely do not do any sort of penetration testing whatsoever

    3) Hype the shit out of whatever it is and flog it off at the highest possible price

    4) Cash in and never change anything until your customers are readying their torches and pitchforks

    Security ? They've heard of it.

    1. Terry 6 Silver badge

      Re: "smart home product manufacturing 101"

      Security ? They've heard of it.

      Err? Maybe not.

      1. Dr Dan Holdsworth Silver badge
        FAIL

        Re: "smart home product manufacturing 101"

        To be honest even manufacturers of old-fashioned mechanical locks can turn out some astonishingly crap devices. The American manufacturer Masterlock is the most famous of these; their padlocks are normally very robust against the standard "Ape with big hammer", but the moment said ape grows a brain and uses even a modicum of intelligence, their products often fail and fail badly. For instance, if one puts tension on some of their padlocks then taps gently and repeatedly with a hammer, the locking pawls creep open and the lock fails.

        Masterlock locks are also noted for not using any of the many techniques available to frustrate bump key users and novice lock pickers. They have even included the classic "one key-like device opens everything" on some models, by leaving a bypass vulnerability open.

        Like all the Internet of Things makers, they are relying on thieves being uncommon and generally spectacularly stupid, so even a little security will defeat them.

    2. Anonymous Coward
      Anonymous Coward

      Re: "smart home product manufacturing 101"

      It's not that they don't do penetration testing they just think that by employing devs they are covering themselves without realising that pen testing can be a whole other field, plus it's about costs, do you want to pay x for experienced competent developers that think of all issues or do you want to pay y for cheap devs just out of HTML school that can just about do the job using the internet to write the code? y < x by a magnitude.

    3. Lee D Silver badge

      Re: "smart home product manufacturing 101"

      You forgot:

      5) Obsolete the hardware after a year or two, push out a new range "with the fix", and cut off everything to do with the old stuff so you can't even use them any more.

      1. Fred Dibnah Silver badge

        Re: "smart home product manufacturing 101"

        So obsolete is now a verb. I surrender.

        1. John Brown (no body) Silver badge

          Re: "smart home product manufacturing 101"

          Obsolete has been verbed. I surrender

          FTFY :-p

        2. the Jim bloke Silver badge
          Unhappy

          Re: "smart home product manufacturing 101"

          We cant use "obsolete" anymore, it has become a verb.

          We need some kind of replacement...

    4. David Lewis 2
      Facepalm

      Re: "smart home product manufacturing 101"

      1) Find some everyday thing and make it more complicated, and need batteries and an internet connection!

      FTFY

    5. JLV Silver badge
      Thumb Up

      Re: "smart home product manufacturing 101"

      You forgot :

      5): make it dependent on some “cloudy stuff” so that it won’t work anymore when the company gets bored, goes out of business or the network goes down.

      6): leverage #5’s connectivity (pardon the corps-speak) to slurp up all the data you can.

      Cf: Nest thermostats.

  8. Whitter
    Trollface

    Smart hub

    Can we just call them "Stupid hub"s now?

    1. STOP_FORTH
      Joke

      Re: Smart hub

      I just told the meter reader that I didn't want one of his new "Stupid Meters".

      I don't want people to know how stupid I am.

    2. Paul Kinsler

      Re: Can we just call them "Stupid hub"s now?

      Or "Shub" for short. Because they do for your home security what H.P Lovecraft wrote might (fictionally) happen to your peace of mind.

      Interestingly, Wikipedia contains this sentence on the subject of Shub-Niggurath: "in a letter to Willis Conover, Lovecraft described her as an "evil cloud-like entity".

      1. Danny Boyd

        Re: Can we just call them "Stupid hub"s now?

        Receive an upvote, Sir, for introducing an IT reference in the discussion.

  9. Anonymous Coward
    Facepalm

    The upshot: they can open your front door with a laptop.

    The upshot: they can open your front door with a laptop.

    I just wanted to highlight that. Staggering. Absolutely f**king staggering.

    1. defiler Silver badge

      Re: The upshot: they can open your front door with a laptop.

      But you could often open somebody's front door with a laptop back in the 1990s. That was largely because they weighed about as much as a fire extinguisher, though.

      1. Jimmy2Cows Silver badge

        Re: The upshot: they can open your front door with a laptop.

        Ah yes reminds me of my early noughties custom 'gaming' laptop. Badass for its time, it had about the size, thickness and weight of a paving slab. Still have the thing somewhere. Power brick the actual size and weight of a house brick. On of those dark blue/purple damp-proof ones. Those were the days...

    2. the Jim bloke Silver badge
      Trollface

      Re: The upshot: they can open your front door with a laptop.

      That means its secure.

      up until the chavs can get it as an app on their phone

  10. ForthIsNotDead
    Boffin

    It happens because its actually really very hard to produce unique keys, and burn them into the non-volatile memory of a CPU/microcontroller, or a Flash/FRAM device or an SD card, as the devices fly down the production line in QianDong or wherever they are being made.

    Producing secure devices in a mass-production environment and keeping them secure is actually really really really hard. If I am manufacturing 250,000 devices, am I going to generate 250,000 unique SSH keys, give them to my (Chinese) manufacturer, and expect them to ensure that each device is programmed with a unique key, and correlate the devices to the keys (so that I know which device has which key) AND keep all that from leaking to ______ (insert name of dodgy hacking outfit here)?

    I think not. It's really fucking hard.

    1. Sean o' bhaile na gleann

      So that's an excuse, is it?

      If I am manufacturing 250,000 devices ... >> is that all?

      am I going to generate 250,000 unique SSH keys ... >> yes!

      give them to my (Chinese) manufacturer, and expect them to ensure that each device is programmed with a unique key ... >> absolutely

      and correlate the devices to the keys (so that I know which device has which key) ... >> that has to be a MINIMUM expectation.

      AND keep all that from leaking to ______ ... >> whyever not?

      It's really fucking hard ... That's exactly the way it should be!

      1. TimMaher Bronze badge

        Also, @Sean, to further your comment.

        When I buy a bright new shiny thing, it has a serial number on the bar code label on the box.

        It has the same serial number on a sticky label on the bottom (in especially difficult to read typeface) of the shiny thing.

        The same serial number can be viewed in the badly designed, insecure, web page that laughingly passes for an admin interface for the shiny thing.

        So, IMHO, it really cannot be difficult to generate SSH keys and install them on the production line.

    2. dcluley

      Years ago when I used to teach networking, Cisco routers would not allow a remote password to be installed other than by a direct wired connection to the router. Do they not do this now?

    3. Down not across Silver badge

      If I am manufacturing 250,000 devices, am I going to generate 250,000 unique SSH keys, give them to my (Chinese) manufacturer, and expect them to ensure that each device is programmed with a unique key, and correlate the devices to the keys (so that I know which device has which key) AND keep all that from leaking to ______ (insert name of dodgy hacking outfit here)?

      No. You're going to have the device to generate its key on start up if one does not exist.

      Why would you need to know the device's key? If it is for some ill-adviced clody paltform, the device can tell the platform its key when it registers itself.

      1. Commswonk Silver badge

        ill-adviced clody paltform

        Sounds like something thought up by Douglas Adams.

        1. Down not across Silver badge
          Pint

          I hate these modern island/chiclet/chickenshit keyboards. That's my excuse anyway, and I'm sticking to it. Have an upvote and one of these --->

    4. Loyal Commenter Silver badge
      FAIL

      correlate the devices to the keys (so that I know which device has which key)

      Why in $deity's name would you want to do that? So you can have some database of backdoors to all those devices? When someone buys your bit of kit, why would they want you to be able to access it via its baked-in key?

      1. Anonymous Coward
        Anonymous Coward

        When someone buys your bit of kit, why would they want you to be able to access it via its baked-in key?

        Because they expect me to log in remotely and troubleshoot their problems.

        When I was maintaining the code for an expensive appliance (didn't design it, mind you), all those boxes in the field would connect via VPN to a central vendor server. Every firmware version had a different hardcoded root password, that was deemed secure enough.

        Customers could disable remote maintenance but hardly anyone ever did.

        1. Terry 6 Silver badge

          Some people like to abdicate responsibility. When stuff happens they like to say, "You must have a way in, surely".

  11. Fred Dibnah Silver badge

    Clody Platform was a 1980s porn star.

  12. Anonymous South African Coward Silver badge

    The drop-bear really should hurry up and drop in like a ton o' bricks on insecure IoT devices.

  13. I.Geller Bronze badge

    AI again

    Sorry, I'm the only one who knows what AI is and who can tell you how to use it.

    Here's a great idea:

    AI database is a blockchain system where each personal device had a synchronized copy of AI. Therefore, AI becomes a private key: AI can just talk to you and determine who you are and what your rights are.

    1. JLV Silver badge

      Re: AI again

      This has nada to do with the article. Go troll elsewhere.

      1. I.Geller Bronze badge

        Re: AI again

        "From now on, every new hub will have a unique key."

        AI is a set of absolutely unique and constantly updated patterns.

  14. Outer mongolian custard monster from outer space (honest)

    Insert historical comment about this being 2019 and no manufacturer hard codes the SAME default public/private keys into all their devices. Yet again.

    I hope the baying mob that went after me on el reg's comment sections for suggesting this happens regular as clockwork in devices I test are by now, after multiple stories detailing this exact issue, actually starting to get just the tiniest of glimmers of a inkling of how completely clueless they were.

  15. crayon

    password protected folder?

    "The key was extracted by simply imaging the hub's SD card: in appeared in the '/etc/dropbear/' folder and was called 'dropbear_rsa_host_key.' The folder was password protected but easily cracked with some readily available software."

    How does one password protect a folder/directory on presumably a *nix system (that the device in question is running on)?

    1. ibmalone Silver badge

      Re: password protected folder?

      One doesn't, the description in the article is incorrect. According to the blog post:

      The SSH key was found by removing the SD Card from the device and imaging the SD Card. SSH key was found in '/etc/dropbear/' with the name 'dropbear_rsa_host_key' which is password protected when using this format but you can still extract the Private and Public key.

      It's a password-protected private key (openSSH format). However the default for this is no longer secure and now vulnerable to brute-force attacks: https://www.digitalocean.com/community/questions/is-the-password-on-my-ssh-keys-really-secure and [wayback link to ref.d details]

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019