Four researchers, a zmap scan and a Friday afternoon have shown that while sys admins are cleaning the FREAK bug out of their Web servers, broadband routers remain a perpetual feast.
The boffins from Royal Holloway at the University of London – Martin Albrecht, Davide Papini, Kenneth Paterson and Ricardo Villanueva-Polanco – started with a scan of the IPv4 address space using zmap, to see how many TLS-supporting servers could still be asked to dip back to 512-bit ciphers.
“Of 22,730,626 hosts supporting TLS that we discovered, 2,215,504 offered export-grade RSA keys (all at 512 bits) when probed”, their paper states – a vulnerability rate which is lower than that reported when FREAK was first discovered.
That's a good thing, since it suggests that sysadmins have been turning off support for “export-grade” encryption since FREAK was first discovered.
That's also where the good news from the study ends, though, because the researchers made the stunning discovery that there are “large clusters of repeated moduli” – in other words, that some 512-bit RSA keys out there are repeated.
“One single modulus was found 28,394 times, two further moduli arose more than 1,000 times each and a total of 1,176 moduli were seen 100 times or more each”, the researchers write.
In the case of the key that turned up more than 28,000 times, the researchers say it was associated with an unnamed broadband router with an SSL VPN module – in other words, Vulture South guesses, we're talking about the persistent stupidity among vendors of generating a single key and hard-coding it into the device.
Such vulnerabilities are not surprising to anyone familiar with the security of home-grade equipment - merely depressing.
That high repetition rate would be a very attractive target for attacks, the researchers note, because it offers great leverage for the US$100 estimated cost of factoring a key using cloud resources: “spending $100 on factoring the most repeated modulus would enable a per-host breaking cost of only 0.3 cents for all the hosts using this modulus.”
As for the remainder, the paper states that three minutes' work on an eight-core system yielded 90 factorisations of low-strength keys corresponding to 294 different hosts, “saving the $9,000 that a cloud computation would have cost if each modulus had been attacked directly.
“We consider this to be a good return on investment for a Friday afternoon's work”, the report drily notes. ®