Breaking SSL on Embedded Devices

Hey, here's an idea: maybe don't bake the same private key into every piece of hardware you ship!

(Of course, for SSL the alternative is to either use self-signed keys, meaning "terrify and irritate users with a repeating security alert", or increase the price of your product by $400 per unit in order to pay the Verisign Tax.)

/dev/ttyS0 Blog

That's where the LittleBlackBox project comes in. [...] She can feed it a network capture file of Alice and Bob's router traffic and it will find the public certificate exchange and automatically look up the corresponding private key for her. She can give it the host name or IP address of Alice and Bob's router, and it will retrieve the public certificate from the router and look up the corresponding private key for her. She can... well, you get the picture.
Tags: , , ,

2 Responses:

  1. tegeran says:

    I'm guessing this is crap consumer gear. The HTTPS-administered hardware I've seen doesn't bother with certs signed by widely-trusted roots in the first place, and assumes anyone capable of configuring it is also capable of going click-click on the right buttons to permanently trust the cert.