--
From: Craig Heffner
Sent: Sunday, December 19, 2010 5:56 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Default SSL Keys in Multiple Routers
Many routers that provide an HTTPS administrative interface use default or
hard-coded SSL keys that can
These manufacturers use the same key on each of their models? That seems
ridiculous to me...
As a person who had a Siemens AP / router with a hardcoded, hidden
management account on it, I find your surprise entertaining ;-)
Craig, cool project.
/mz
concern,
but it is still interesting.
t
-Original Message-
From: Michal Zalewski [mailto:lcam...@coredump.cx]
Sent: Monday, December 20, 2010 8:16 AM
To: Thor (Hammer of God)
Cc: Craig Heffner; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Default SSL Keys
On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner cheff...@devttys0.com wrote:
The LittleBlackBox project contains a database of over 2,000 (and growing)
private SSL keys that are correlated with their respective public
certificates, and hardware/firmware versions. While most of these
On Mon, Dec 20, 2010 at 4:04 PM, BMF badmotherfs...@gmail.com wrote:
...
Most of what I have read so far indicates that these secret keys can
be used to sniff only administrative traffic to the device itself.
right. considering 97.3% of these devices have trivial XSRF, remote
access, and other
On Mon, Dec 20, 2010 at 7:04 PM, BMF badmotherfs...@gmail.com wrote:
On Sat, Dec 18, 2010 at 7:13 PM, Craig Heffner cheff...@devttys0.com wrote:
The LittleBlackBox project contains a database of over 2,000 (and growing)
private SSL keys that are correlated with their respective public
Many routers that provide an HTTPS administrative interface use default or
hard-coded SSL keys that can be recovered by extracting the file system from
the device's firmware.
The LittleBlackBox project contains a database of over 2,000 (and growing)
private SSL keys that are correlated with their
These manufacturers use the same key on each of their models? That seems
ridiculous to me...
T
From: Craig Heffner
Sent: Sunday, December 19, 2010 5:56 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Default SSL Keys in Multiple Routers
Many
-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Default SSL Keys in Multiple Routers
From a security standpoint, it is. But it's easier and probably more cost
effective for the manufacturer.
Sometimes the key will be different between firmware versions, sometimes it
won't. Sometimes