Network vendors are reusing digital certificates and keys used to authenticate users for logins, researchers have found.
Security vendor SEC Consult conducted internet-wide scans and analysis of over 4000 embedded device firmwares from over 70 vendors running internet gateways, routers, modems, network cameras, voice over IP phones and others.
It discovered that its data set of 580 private keys were reused by around 3.2 million systems on the internet offering HTTPS security in approximately 150 server certificates.
A further 80 secure shell private keys were found on 0.9 million hosts, the researchers found.
The use of static credentials in firmware open up the devices to silent man-in-the-middle (MITM) data interception attacks.
Scores of devices deployed in Australia are vulnerable.
According to SEC Consult's scans, telco incumbent Telstra has left the secure shell (SSH) interface exposed to the internet on more than 26,000 Cisco devices. The vendor has confirmed the vulnerability.
A total of 25 Cisco network products are affected by the vulnerability with no software/firmware fix or workaround available, the vendor said.
SEC Consult said the firmware keys are often shared between different vendors, and appear to have come from the software development kit used to create the device management utilities.
Over a million Huawei-made devices on Mexican telco TelMex's network are vulnerable to data interception attacks, SEC Consult noted, along with hundreds of thousands others in the United States, Brazil, Spain, Colombia, Canada, China, Russia, Taiwan and the UK.
The problem is industry-wide, SEC Consult said, having discovered that more than 900 products from around 50 well-known device vendors are vulnerable.
SEC Consult recommended vendors make sure their devices use random, unique cryptographic keys that are computed in the factory or when the system first boots up.
Vendors should also deliver fixed firmware and remove static SSL/SSH keys.
Internet providers should make sure that remote access via the internet to customer premises equipment is not possible; this should only be done via a dedicated virtual local area network (VLAN) with strict access controls.
No communication between customer premises equipment should be permitted, the security vendor suggested.