For example, a certificate issued to a person named "Daniel" with the email address firstname.lastname@example.org was found in firmware from Actiontec, Aztech, Comtrend, Innatech, Linksys, Smart RG, Zhone and ZyXEL, the SEC Consult researchers said. The certificate comes from a Broadcom SDK and is used by over 480,000 devices on the Internet, they said.
In another case, a certificate issued to a company called Multitech from Bangalore, India, was found in firmware from Aztech, Bewan, Observa Telecom, NetComm Wireless, Zhone, ZTE and ZyXEL. That certificate was tracked to an SDK for ADSL2+ routers from Texas Instruments and is used by over 300,000 devices on the Web.
Another 80,000 devices, mostly WiMAX gateways from Green Packet, Huawei Technologies, Seowon Intech, ZTE and ZyXEL, use a "MatrixSSL Sample Server Cert" certificate.
There are several reasons why so many devices are accessible from the Internet via HTTPS and SSH. These include insecure default configurations by manufacturers, automatic port forwarding via UPnP, and provisioning by ISPs, which configure their subscribers' devices for remote access and management, the researchers said in their report.
"Vendors should make sure that each device uses random, unique cryptographic keys," the researchers said. "These can be computed in the factory or on first boot. In the case of CPE [customer premises equipment] devices, both the ISP and the vendor have to work together to provide fixed firmware for affected devices."
Where possible, users should change the SSH host keys and HTTPS certificates on their devices. Unfortunately, this requires technical knowledge beyond that of an average home user and is, in many cases, impossible, especially on devices that have been locked down by ISPs.
Sign up for CIO Asia eNewsletters.