Using default private keys to decrypt SSL streams

An old but hugely overlooked issue. Many appliance vendors ship their units with a default private key for SSL communications. Even if you reissue a new certificate, your appliance could still be using the same private key as everyone else’s.. and it’s typically bundled within the firmware packages publicly distributed by the application vendor. This affects everything from DD-WRT to enterprise class VPN appliances, tape libraries, and firewalls.

Well, someone has finally begun cataloguing these into a searchable database:
http://www.devttys0.com/2010/12/breaking-ssl-on-embedded-devices/

Just lookup the device in question, point the lookup tool to a running appliance, or feed it a packet capture or live network interface and it will provide any known private keys. Once the private key is obtained, you can decrypt the SSL stream with tshark:

tshark -nn -t ad -r <pcap_file> -o ssl.keys_list:<HTTPS_server_IP>,443,http,”<private_key.pem>” -V -R http

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.