Pre-loaded SSL private key unsafe?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Author Message
bodski
DD-WRT Novice


Joined: 20 Dec 2010
Posts: 2

PostPosted: Mon Dec 20, 2010 17:24    Post subject: Pre-loaded SSL private key unsafe? Reply with quote
Hi just thought I'd post a query about what you guys think about this:

http://code.google.com/p/littleblackbox/

It seems that there are over 6000 entries in this tools DB that are for for DD-WRT firmwares where the private SSL key is hardcoded into DDWRT firmware images.

Just thought that if this is for real people should be warned about exposing SSL services such as HTTPS etc to the internet from DDWRT as this tool claims to make it trivial to intercept such connections.

Either way you guys need to clarify the situation on this.

further info:

http://it.slashdot.org/story/10/12/20/1414210/Database-of-Private-SSL-Keys-Published

https://threatpost.com/en_us/blogs/group-publishes-database-embedded-private-ssl-keys-122010


Last edited by bodski on Mon Dec 20, 2010 22:13; edited 1 time in total
Sponsor
I Use Dial
DD-WRT Novice


Joined: 15 Aug 2007
Posts: 45
Location: Morgan Hill, CA

PostPosted: Mon Dec 20, 2010 19:24    Post subject: Reply with quote
Seems clear to me: don't access the admin panel from outside your network or over unencrypted wireless (access to admin panel through wireless can be disabled Wireless->Advanced Settings->Advanced Settings->Wireless GUI Access->Disable).
_________________
There is but one Infinite Game.
I Use Dial
DD-WRT Novice


Joined: 15 Aug 2007
Posts: 45
Location: Morgan Hill, CA

PostPosted: Mon Dec 20, 2010 20:51    Post subject: Reply with quote
I just noticed that the mod locked a dup of this post that had a much better title (SSL Compromised on DD-WRT), then redirected users to the same post that he closed.

This post, titled 'littleblackbox', will probably get little interest from the random users seeking help, as evidenced by the substantially smaller view count.

_________________
There is but one Infinite Game.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Tue Dec 21, 2010 0:02    Post subject: Reply with quote
Meh, it doesn't matter too much which thread is left open...

First of all, in other duplicate threads people have been saying some inaccurate things I want to clear up. DD-WRT is not 'the most affected' by this, the database consists mostly of DD-WRT keys because although DD-WRT bakes a static key into the firmware, it uses a different key for each build. It does not affect any of your normal HTTPS/SSL traffic to websites, only traffic to the router's GUI using HTTPS. Also in order for it to occur they have to be listening to traffic between you and the router.

I can't imagine any situation where an attacker would be able to capture the encrypted traffic and expect to get anyone to login to their router via HTTPS.

If you want to fix/avoid it then there are some solutions. To fix it you can use the firmware mod kit to put your own cert.pem and key.pem files in /etc. If you want to avoid the problem then you can use SSH tunneling to tunnel (my MOD: or any other vpn solution) to the GUI which is a very simple alternative.

http://www.dd-wrt.com/wiki/index.php/Easy_SSH_tunnels

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2025
Location: Sol System > Earth > USA > Arkansas

PostPosted: Tue Dec 21, 2010 0:34    Post subject: Reply with quote
Thank you for clearing that up phuzi0n. I myself use the SSH tunneling method. I believe this problem would then not affect me. Besides .... that "little black box" would have to be regularly updated with the newer keys from the 'beta' firmware. A lot of hype over nothing if you ask me.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
bodski
DD-WRT Novice


Joined: 20 Dec 2010
Posts: 2

PostPosted: Tue Dec 21, 2010 10:34    Post subject: Reply with quote
Thanks for clarifying this, it seems that the risk for most users is pretty low. Like others say this appears not to affect SSH based connections.

I suppose the most likely affected would be administrators of networks that use the HTTPS to configure routers over insecure networks. Maybe an announcement with a warning for those possibly affected would be a responsible move though.

Is there any scenario where an HTTPS proxy running from dd-wrt would use this key for the SSL?

Out of interest, why would a pre-generated key that is available to anyone who looks in the firmware be considered more secure than a unique key generated on first boot? Yes, this key would have less entropy but is surely stronger than one that is publicly available to anyone who knows where to look!
buddee
DD-WRT Guru


Joined: 06 Feb 2010
Posts: 7385
Location: Little Rock

PostPosted: Tue Dec 21, 2010 11:17    Post subject: Reply with quote
This smells of the likes of the DNS rebind exploit that faded away back in the summer, I wonder alot of times why these discoverers of nothing still have jobs.
_________________
Wireless N Config | Linking Routers | DD-WRT Wiki | DD-WRT Builds | Peacock - Broadcom FAQ

Having problems with port forwarding? Check out Port Forward Troubleshooting for more info.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum