Hundreds Of Thousands Of Home Routers Have SSH Key Vulneribilty

John Matherly, creator of the Shodan website, has found that the same public SSH key is being used by 250,000 devices on the Telefónica de España network as well as 22,000 more devices in Taiwan, China, USA, and the Caribbean. Another SSH key is being used by 150,000 devices It is suspected that the manufacture or ISP used the same software image in all the routers. The devices on the Telefónica de España network are running a small SSH app called Dropbear SSH. The USRobotics USR9108 Wireless MAXg ADSL2+ Gateway does come with Dropbear SSH installed but it is not clear if this device in question.

The bigger question is why SSH is on these devices in the first place. For a home use device changes to settings are usually perfomred by an SSL or password protected web page served from the device. It is possible this is for remote administration by the vendor or the ISP. Since so many devices share the same SSH key there is no way to tell individual devices apart except for the IP address it is connected with to the Internet… which is not a good security practice.

What is really interesting is this is not the only SSH key duplicated in bulk on the Internet. According to John after running a simple python script you can extract the top 1000 SSH keys used from Shodan. Here is the top 20:

dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0           245272
32:f9:38:a2:39:d0:c5:f5:ba:bd:b7:75:2b:00:f6:ab           197846
d0:db:8a:cb:74:c8:37:e4:9e:71:fc:7a:eb:d6:40:81           152046
34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6           140777
df:17:d6:57:7a:37:00:7a:87:5e:4e:ed:2f:a3:d5:dd            91904
81:96:a6:8c:3a:75:f3:be:84:5e:cc:99:a7:ab:3e:d9            80499
7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf             78172
1c:1e:29:43:d2:0c:c1:75:40:05:30:03:d4:02:d7:9b           71851
8b:75:88:08:41:78:11:5b:49:68:11:42:64:12:6d:49           70786
c2:77:c8:c5:72:17:e2:5b:4f:a2:4e:e3:04:0c:35:c9             68654
03:56:e6:52:ee:d2:da:f0:73:b5:df:3d:09:08:54:b7           66369
62:5e:b9:fd:3a:70:eb:37:99:e9:12:e3:d9:3f:4e:6c             60786
4d:1b:63:db:8e:2d:f9:12:1c:f2:f2:6c:00:48:9f:40             60772
6d:e9:f5:aa:bc:2b:10:3b:90:66:5d:44:3f:25:04:05           56950
7d:b8:b9:ea:95:86:f3:89:0d:ab:a5:83:ab:06:3b:08         54903
e7:86:c7:22:b3:08:af:c7:11:fb:a5:ff:9a:ae:38:e4               52674
05:84:45:ce:e4:e7:fa:2c:37:16:c5:ab:37:cc:30:b5             52386
c2:a6:fb:9e:ce:e0:e4:84:61:88:0b:ec:05:e8:f4:aa            46137
3e:75:5f:41:69:d1:67:42:5e:d1:03:db:c8:04:90:84          45916
e2:40:24:40:b8:87:4e:41:1f:d4:68:69:67:b2:22:5d          42232

Link to John Matherly’s Blog article:

Post by Protocol 46