

Database of private SSL keys for embedded devices - bensummers
http://code.google.com/p/littleblackbox/

======
tptacek

      select * from firmare
      [...]
      [4:08pm:~] RIDGELAND:tqbf [0:6]% pbpaste | egrep '[0-9]+\|[0-9]+\|[0-9]+' 
      | cut -d\| -f4-5 | cut -d\  -f1 | sort | uniq
    

Cisco|v1.0.1.3 - Cisco|v1.1.17.9 - Cisco|v2.0.0.11 - D-Link|v1.20b39 -
D-Link|v1.20b44 - D-Link|v2.02NA - D-Link|v2.03NA - DD-WRT|Accton - DD-
WRT|Aceex - DD-WRT|Actiontec - DD-WRT|AirLive/Ovislink - DD-WRT|Airlink - DD-
WRT|Alfa - DD-WRT|Asus - DD-WRT|Avila - DD-WRT|Bountiful - DD-WRT|Broadcom -
DD-WRT|Buffalo - DD-WRT|Compex - DD-WRT|D-Link - DD-WRT|DD-WRT - DD-
WRT|DIR-300 - DD-WRT|DIR-400 - DD-WRT|DIR-600 - DD-WRT|Doodlelabs - DD-
WRT|EAP-3660 - DD-WRT|ECB-3500 - DD-WRT|ECB-9750 - DD-WRT|EOC-1650 - DD-
WRT|EOC-2610 - DD-WRT|EOC-5610 - DD-WRT|ESR-9752: - DD-WRT|Edimax - DD-WRT|GW-
MF54G2 - DD-WRT|Gateworks - DD-WRT|JJPlus - DD-WRT|LaFonera - DD-WRT|Linksys -
DD-WRT|Mega - DD-WRT|Meraki - DD-WRT|Micro_OLSRD - DD-WRT|NEWD - DD-
WRT|NOP-8670 - DD-WRT|NS5 - DD-WRT|Netgear - DD-WRT|NoKaid - DD-WRT|OpenRB -
DD-WRT|Pronghorn - DD-WRT|Special - DD-WRT|Standard - DD-WRT|Standard_USB_FTP
- DD-WRT|TP-Link - DD-WRT|TRENDnet - DD-WRT|Tonze - DD-WRT|US - DD-
WRT|Ubiquiti - DD-WRT|Ubiquity - DD-WRT|VINTAGE - DD-WRT|VPN - DD-WRT|VoIP -
DD-WRT|Voip - DD-WRT|WHA-5500CPE - DD-WRT|WHR-HP-AG108 - DD-WRT|WLA-5000ap -
DD-WRT|WLA-9000ap - DD-WRT|WP188 - DD-WRT|WRT610N - DD-WRT|WTR54GS - DD-
WRT|WiliGear - DD-WRT|Wistron - DD-WRT|Xbox - DD-WRT|ZCOM - DD-WRT|dd-wrt.v24
- DD-WRT|dd-wrt.v24,Atheros - DD-WRT|v24 - DD-WRT|v24-preSP2, - DD-WRT|v24-sp1
- DD-WRT|v24-sp1,Consumer - DD-WRT|v24-sp1,Professional - Linksys|3.0.03 -
Netgear|v1.0.0_09.25NA - Netgear|v1.4.20

Wireless access points.

~~~
ten7
I don't get why this post keeps getting up voted: it's mostly just a list of
DD-WRT firmware, small percentage of the market most likely. And wouldn't that
be the most likely candidate for the appropriate fix, i.e. uniquely generated
Keys on each device, not preprogrammed, and a way to import your own?

~~~
tptacek
Probably because it takes the 1.7 minutes required to download the stupid
database, dump it, and sum it up for everyone else?

------
jrockway
This is why I have my own CA. Too bad the router manufacturers don't do the
same; let the router generate a key-signing request, paste it into the
manufacturer's site (with a "real" SSL cert), download file suitable for
providing to the router, enjoy secure VPN.

Oh yeah, but that would add like fifty cents to the cost of every $150 VPN
router, and we can't have that!

~~~
rlpb
Fifty cents and another ten dollars or more to deal with the extra tech
support.

~~~
jrockway
When you unpack and plug-in a router, it automatically gets the current time
without any tech support. Why not get an SSL cert too?

~~~
JoachimSchipper
That works, but unless the router manufacturer has a sub-CA of a CA present in
all browsers, the above "extra tech support" is very true. And those sub-CAs
are _expensive_.

~~~
jrockway
Cisco can probably afford it.

But remember, we're only talking about SSL-based VPN boxes here. Joe Average
does not buy these, and the people that do are willing to pay; handling more
than one connection does require some not-tiny hardware. (I have a Soekris
router, and Gigabit Ethernet makes pf max-out the CPU at around 300Mbps.
OpenVPN... sooner. And this thing was $300. :)

------
modeless
This would only allow you to sniff/MITM SSL connections made by/to the router
itself, right? Not connections made by users of the router to servers on the
Internet. What do these routers use SSL for, anyway? Update checks? Admin
control panels?

~~~
sp332
I use SSL for my admin control panel. I don't know if it's really useful but I
feel better :-)

------
ten7
Great article. So what's the fix? What should the right approach have been?
Let's see a solution!

And yes, I read the blog post associated with it and didn't see a solution:
[http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-
dev...](http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/)

~~~
iuguy
The devices should've generated their keys (and provided a legit key import
and cert generation function) once initialised at home instead of pre-
generating them.

Of course, I'm waiting for the inevitable mashup with this and firesheep.

~~~
skymt
That would protect against passive attacks with known keys, but it would do
little to stop MitM attacks, since your freshly-generated certs haven't been
signed by a CA.

Is there a way to add a unit-specific salt to a cert?

~~~
iuguy
The easy way (and I'm not saying it's the right way, because it's not, but
it's probably the easiest way of getting it more right than it is now without
getting it right if that makes sense) is to generate a self-signed cert on
initialisation. Make everything needed available for import and alert on
changes. A unit specific salt isn't necessarily the right way forward. What
you want is to import the private key (generated and confirmed on setup) to
import a certificate.

------
Raphael
Good to see Hacker News living up to its name.

------
mmaunder
Mostly used for home vpns and router admin https it looks like. Also dd-wrt is
fairly niche.

