The Founder of Shodan, John Matherly, has conducted in December 2014 a personal research discovering that more than 250,000 routers used in Spain and deployed by Telefonica de Espana, and thousands more used in other countries worldwide are using the same SSH keys
Matherly was revamping the SSH banner and collecting the fingerprint, when he observed that a few SSH keys were used by several devices.
For example, the following SSH fingerprint is used by 250,000 routers.
Matherly explained that the routers appear to be sold by Telefónica de España, the devices come pre-configured with the same operating system image. The expert highlighted that a small percentage of routers configured to allow a remote access may be vulnerable to cyber attack because share the same SSH private key.
“It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefónica de España,” Matherly wrote in a blog post.
“It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.”
Matherly discovered other similar cases, separate batches of 200,000 and 150,000 devices were using the same SSH keys.
“The next duplicated fingerprint on the list comes in at around 200,000 devices, followed by another one used by 150,000 devices. By analyzing the facets it’s easy to get a picture of systemic issues that plague both hardware manufacturers as well as ISPs/ hosting providers.” continues the post.
Matherly has published on GitHub the list of unique fingerprints discovered in his analysis with Python script that he used to discover the duplicate SSL serial numbers.
The Reddit user cybergibbons run a similar analysis in UK discovering a block of shared fingerprints.
“11,5061, 7,875, and 2,224 instances of duplicates they said were linked to telcos Sky Broadband, TalkTalk and BT Plusnet“
7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf --> 11561
a8:99:c2:92:08:fb:5e:de:4b:96:14:de:61:df:ad:6d --> 7875
03:56:e6:52:ee:d2:da:f0:73:b5:df:3d:09:08:54:b7 --> 2224
b4:af:64:0c:9a:ed:ed:4d:b1:c0:12:5d:c9:e4:c8:f0 --> 1210
eb:65:52:6e:40:28:af:a6:36:5b:b3:b4:0c:5d:32:3d --> 1082
39:aa:e4:e9:a2:e7:c1:04:9d:00:9f:b6:99:d5:9c:bd --> 879
57:94:42:63:a1:91:0b:58:a6:33:cb:db:fe:b5:83:38 --> 777
f9:76:13:e7:86:11:8b:64:0f:e0:39:ea:e9:14:a7:18 --> 742
14:96:82:72:6f:bc:a5:14:53:1c:72:71:0d:8b:cb:c2 --> 740
34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 --> 726
(Security Affairs – Shodan , SSH keys)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.