26,000 routers at risk; BlackBerry exits over surveillance; 6.4m kids' data exposed

Telstra is leaving more than 26,000 of its customers’ Cisco devices open to remote exploitation, according to new research published by infosec company SEC Consult.

The Telstra finding was part of a broader investigation by the infosec company into industry-wide HTTPS certificate and SSH key re-use.

SEC Consult said it analysed the cryptographic keys (public keys, private keys and certificates) in the firmware images of more than 4000 embedded devices from more than 70 vendors — including devices like internet gateways, routers, modems, IP cameras, VoIP phones and the like.

The company found more than 580 unique private keys across the 4000+ devices.

SEC Consult then examined data from internet-wide scans and found that the set of 580 keys contained the private keys for more than 9% of all HTTPS hosts on the web and the private keys for more than 6% of all SSH hosts on the web.

These “static keys” have been “embedded, essentially ‘baked in’ the firmware image (operating system) of devices and are mostly used for providing HTTPS and SSH access to the device. This is a problem because all devices that use the firmware use the exact same keys,” SEC Consult said.

This opens the way for impersonation, man-in-the-middle or passive decryption attacks, the company said.

In some cases, SEC Consult said, “ISPs expose their subscribers’ devices (CPE — customer premises equipment) to the internet. By correlating the affected hosts with GeoIP information, we found large clusters of devices with the same keys located in the networks of different ISPs. We can deduce that devices are CPEs provided to subscribers. These devices are owned, distributed and managed by ISPs and use ISP-specific firmware. Some ISPs have a particularly bad track record when it comes to exposing remote management interfaces … Telstra in Australia exposes SSH remote administration on more than 26,000 Cisco devices.”

According to ITnews, Cisco has confirmed the vulnerability.

BlackBerry exits Pakistan

BlackBerry will soon cease operating in Pakistan, saying that the Pakistani government wanted too much access to BlackBerry customers’ information.

BlackBerry’s COO Marty Beard explained his company’s perspective in a blog post earlier this week.

“The truth is that the Pakistani government wanted the ability to monitor all BlackBerry Enterprise Service traffic in the country, including every BES e-mail and BES BBM message. But BlackBerry will not comply with that sort of directive. As we have said many times, we do not support ‘back doors’ granting open access to our customers’ information and have never done this anywhere in the world,” Beard wrote.

Beard denied that “Pakistan’s demand” was “a question of public safety”.

“[W]e are more than happy to assist law enforcement agencies in investigations of criminal activity. Rather, Pakistan was essentially demanding unfettered access to all of our BES customers’ information,” he wrote.

BlackBerry will no longer operate in the Pakistan market after 30 December, the COO said.

“While we regret leaving this important market and our valued customers there, remaining in Pakistan would have meant forfeiting our commitment to protect our users’ privacy. That is a compromise we are not willing to make,” he wrote.

Kids’ data exposed as toymaker hacked

Toymaker VTech has admitted that its customers’ information was accessed by an unauthorised party, with more than 6.3 million kids’ information exposed in the attack.

According to VTech, the hacker accessed data related to two systems: ‘Learning Lodge’, which allows customers to download content to VTech products, and ‘Kid Connect’, which allows parents using smartphones to chat with their children using VTech tablets.

One area of customer data compromised in the attack includes information on parents including names, email addresses and mailing addresses. It also contains information on the children using the company’s products, including names, genders and birthdates.

The company revealed that more than 4.8 million parents’ accounts and more than 6.3 million children’s profiles were affected by the attack.

In Australia, 18,151 parent accounts and 23,096 child profiles were affected.

According to VICE, the hacker behind the attack found tens of thousands of pictures of parents and kids on VTech’s servers. The hacker reportedly shared a sample of 3832 image files taken from VTech’s servers with VICE for verification purposes.

VICE also suggested the hacker acquired audio files that appeared to be recordings of children’s voices.

VTech said it “cannot confirm at this stage” whether photos or audio files were taken in the attack, but claimed that photos and audio files on Kid Connect were encrypted by AES128.

The hacker reportedly said he doesn’t intend to publish or sell the data acquired in the attack.

“Frankly, it makes me sick that I was able to get all this stuff,” VICE quoted him as saying. “VTech should have the book thrown at them.”

Image courtesy Ralph Aichinger under CC