U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Shodan Founder finds 250,000 routers sharing same SSH keys

The Founder of Shodan John Matherly was revamping the SSH banner when discovered a large number of devices that share same SSH keys. The Founder of Shodan, John Matherly, has conducted in December 2014 a personal research discovering that more than 250,000 routers used in Spain and deployed by Telefonica de Espana, and thousands more used in other […]

Shodan Founder finds 250,000 routers sharing same SSH keys

The Founder of Shodan John Matherly was revamping the SSH banner when discovered a large number of devices that share same SSH keys.

The Founder of ShodanJohn Matherly, has conducted in December 2014 a personal research discovering that more than 250,000 routers used in Spain and deployed by Telefonica de Espana, and thousands more used in other countries worldwide are using the same SSH keys

Matherly was revamping the SSH banner and collecting the fingerprint, when he observed that a few SSH keys were used by several devices.

For example, the following SSH fingerprint is used by 250,000 routers.

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0

ssh keys fingerprint Shodan

 

Matherly explained that the routers appear to be sold by Telefónica de España, the devices come pre-configured with the same operating system image. The expert highlighted that a small percentage of routers configured to allow a remote access may be vulnerable to cyber attack because share the same SSH private key.

“It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefónica de España,” Matherly wrote in a blog post.

“It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.”

Matherly discovered other similar cases, separate batches of 200,000 and 150,000 devices were using the same SSH keys.

“The next duplicated fingerprint on the list comes in at around 200,000 devices, followed by another one used by 150,000 devices. By analyzing the facets it’s easy to get a picture of systemic issues that plague both hardware manufacturers as well as ISPs/ hosting providers.” continues the post.

Matherly has published on GitHub the list of unique fingerprints discovered in his analysis with Python script that he used to discover the duplicate SSL serial numbers.

https://gist.github.com/achillean/07f7f1e6b0e6e113a33c

The Reddit user cybergibbons run a similar analysis in UK discovering a block of shared fingerprints.

“11,5061, 7,875, and 2,224 instances of duplicates they said were linked to telcos Sky Broadband, TalkTalk and BT Plusnet

7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf --> 11561
a8:99:c2:92:08:fb:5e:de:4b:96:14:de:61:df:ad:6d --> 7875
03:56:e6:52:ee:d2:da:f0:73:b5:df:3d:09:08:54:b7 --> 2224
b4:af:64:0c:9a:ed:ed:4d:b1:c0:12:5d:c9:e4:c8:f0 --> 1210
eb:65:52:6e:40:28:af:a6:36:5b:b3:b4:0c:5d:32:3d --> 1082
39:aa:e4:e9:a2:e7:c1:04:9d:00:9f:b6:99:d5:9c:bd --> 879
57:94:42:63:a1:91:0b:58:a6:33:cb:db:fe:b5:83:38 --> 777
f9:76:13:e7:86:11:8b:64:0f:e0:39:ea:e9:14:a7:18 --> 742
14:96:82:72:6f:bc:a5:14:53:1c:72:71:0d:8b:cb:c2 --> 740
34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 --> 726

(Security Affairs –  Shodan , SSH keys)