When Secure Shell Becomes Less Than Secure
In the last decade, websites have become so ubiquitous that GoDaddy, one of the oldest and largest hosting providers in the U.S., was once a regular Super Bowl advertiser (until 2017). Maybe you remember the commercial that ran in 2017 and was so racy that it caused a lot of controversy. Cheap monthly hosting with easy-to-use tools and unlimited storage has made it easy to set up a website with a shared hosting provider like GoDaddy—without much thought about the security implications.
But while using a shared hosting site may be appealing from a cost standpoint, the associated security risks can be catastrophic to a business. Hosting providers such as Hetzner, GoDaddy, and Domainfactory all experienced breaches in 2018 alone, with many others suffering breaches previously. Even Daniel’s Hosting, a Dark Web hosting service provider, was recently hacked. Players in this space are prone to many of the same security risks based on the technologies they use, including one protocol using shared secure shell (SSH) keys.
It’s a good time to review some of the new risks associated with shared SSH key pairs.
As we know, computer processing power is increasing every day. With modern cloud resources that can start thousands of computer and graphics processors on demand and in seconds, brute-forcing weak ciphers becomes a trivial task. By attacking weak ciphers, a hacker can obtain the private key of a public/private key pair. For this reason, it’s critical to continually audit devices that are connected to the internet because of how quickly technology configurations change.
To illustrate the ongoing risks of SSH keys, I’ll update and expand some earlier research on this topic [achillean]. It turns out that SSH keys are still being reused often and across many kinds of public-facing systems. Why? I can think of a few reasons. Companies want to lower IT costs for administration, they may use a similar base image, or they may rely on a third-party vendor and have very little control over how the security was set up.
Trusting Servers on the Internet
SSH is a widely used remote administration protocol that typically runs on port 22. The protocol uses public and private keys with user accounts to validate that a server is the one that you intended to connect to. A fingerprint is a unique identifier of that public key, which is analogous to the published address information of a local post office. After being connected to a server, you’re asked to present your credentials (like a username and password) to gain access to resources. This is similar to picking up a package that was delivered there and having to prove your identity.
Let’s look at the public key fingerprint (dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0) and its usage on the internet. In 2015, there were 250,000 devices, but that number has decreased to about 75,000 active devices today. Why are there so many devices with the exact same fingerprint? Well, after a bit of research we found that most of the devices are still active in Spain, while the rest of the world has seen significant drop-off. And most of these devices appear to be older residential modems and routers.
My guess is that many users are upgrading their modems to embrace faster technologies such as fiber or 4G. These modems appear globally and across different brands that support a specific Broadcom ADSL board, which would indicate that the shared key comes from a device component or software image rather than any specific manufacturer. Public data points to at least two different manufacturers: USRobotics and Zyxel. We also looked at the configuration of these devices. Most are running a lightweight SSH client known as Dropbear. The majority of those devices use an archaic version 0.46, which supports only one key exchange method known as “diffie-hellman-group1-sha1” with a 1024-bit modulus and 3DES-CBC channel encryption. All of these devices are susceptible to the Logjam and sweet32 birthday attacks.
So what can you do if you know the private key? You can effectively impersonate a legitimate server and masquerade as a device capturing the passwords of anyone trying to log in. Since these are running buggy versions of dropbear, you could alternatively try an exploit and gain direct access, and then try user passwords on other devices.
What could happen if commercial services shared the same fingerprint? Based on research that we do at Guidewire Cyence Risk Analytics, we know that many businesses use shared hosting companies to host content. How many? Well, close to 80% of large businesses have at least one shared hosting domain. Although many of these businesses may not host critical content on their domain, some will. Reputation damage can happen if just one domain is compromised. When one shared server is hacked, the attacker has access to every domain hosted on that server to manipulate or steal data. If the same security authentication is used across multiple shared servers, all data on those servers is also at risk.
Here’s the worrisome part. Some hosting services are indeed using shared SSH key pairs. The fingerprints (62:5e:b9:fd:3a:70:eb:37:99:e9:12:e3:d9:3f:4e:6c), (e5:f0:4b:35:d1:61:e4:c1:4d:6c:76:41:30:fb:53:ff), and (18:f1:bf:c6:bd:54:0c:d6:8d:5c:d8:88:9a:76:81:24) were all found to be connected to thousands of businesses that share the same problem that I mentioned above: a single point of entry. We can see that these are likely owned by Go Daddy, 1&1, and HEG, respectively. A quick analysis shows that the first key pair is likely vulnerable to Logjam. This means that any user with access to those private keys could impersonate shared hosting servers and capture credentials to those websites (like creating a fake post office location and publishing the address for mail pickup). With the right credentials, an attacker will gain access to the sensitive information that it is seeking.
Compromising devices en masse can lead to catastrophic effects, especially with exposed devices on the internet. One example was VPNFilter malware (deployed for destructive and espionage capabilities), but it could also be used for DDoS or proxying services. Worst of all, compromising a gateway device gives access to the internal network for data exfiltration.
With each one of these fingerprints connected to many thousands of devices, we have a scary scenario. Not only do those servers potentially hold sensitive customer data, but they’re also the public-facing image for many small, medium, and large businesses. And our analysis shows that large wholesale trade and retail companies use shared hosting the most out of all the industry groups that we track at Guidewire Cyence Risk Analytics.
As technology evolves, we need to be aware of the risks associated with our encryption algorithms and reuse of key pairs. Security today does not mean security tomorrow. The digital world is already extremely fragile, and aggregate events need to be identified and mitigated.
Special thanks to Alexey Grigoryev for his contributions to this article.