The Founder of Shodan John Matherly was revamping the SSH banner when discovered a large number of devices that share same SSH keys.
Back in December when I revamped the SSH banner and started collecting the fingerprint I noticed an odd behavior. It turns out that a few SSH keys are used a lot more than once. For example, the following SSH fingerprint can be found on more than 250,000 devices!
dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0
And there are many more fingerprints that are also duplicated, which you can check out yourself using the following Python code:
import shodan
api = shodan.Shodan(YOUR_API_KEY)
# Get the top 1,000 duplicated SSH fingerprints
results = api.count('port:22', facets=[('ssh.fingerprint', 1000)])
for facet in results['facets']['ssh.fingerprint']:
print '%s --> %s' % (facet['value'], facet['count'])
Going back to the fingerprint mentioned above, when you plug that into Shodan the picture becomes somewhat clearer:
It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefonica de Espana. It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.
The next duplicated fingerprint on the list comes in at around 200,000 devices, followed by another one used by 150,000 devices. By analyzing the facets it’s easy to get a picture of systemic issues that plague both hardware manufacturers as well as ISPs/ hosting providers. I’ve uploaded a list of unique fingerprints and their counts to the following Gist location:
https://gist.github.com/achillean/07f7f1e6b0e6e113a33c
Feel free to download the CSV and start analyzing the duplicated fingerprints because there are a lot of them. I wouldn’t be surprised if you’d uncover interesting security issues by analyzing why these things are misconfigured.
For example, this fingerprint is common across over 250,000 devices worldwide:
dc:14:de:8e:d7:c1:15:43:23:82:25:81:d2:59:e8:c0
And this fingerprint is common across over 11,000 devices across the UK:
7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf
This obviously presents issues in authenticating which device you are connecting to over SSH, but what other real-world implications are there in having a common fingerprint (and hence, common public key) across so many devices?
11,5061, 7,875, and 2,224 instances of duplicates they said were linked to telcos Sky Broadband, TalkTalk and BT Plusnet
7c:a8:25:21:13:a2:eb:00:a6:c1:76:ca:6b:48:6e:bf –> 11561
a8:99:c2:92:08:fb:5e:de:4b:96:14:de:61:df:ad:6d –> 7875
03:56:e6:52:ee:d2:da:f0:73:b5:df:3d:09:08:54:b7 –> 2224
b4:af:64:0c:9a:ed:ed:4d:b1:c0:12:5d:c9:e4:c8:f0 –> 1210
eb:65:52:6e:40:28:af:a6:36:5b:b3:b4:0c:5d:32:3d –> 1082
39:aa:e4:e9:a2:e7:c1:04:9d:00:9f:b6:99:d5:9c:bd –> 879
57:94:42:63:a1:91:0b:58:a6:33:cb:db:fe:b5:83:38 –> 777
f9:76:13:e7:86:11:8b:64:0f:e0:39:ea:e9:14:a7:18 –> 742
14:96:82:72:6f:bc:a5:14:53:1c:72:71:0d:8b:cb:c2 –> 740
34:47:0f:e9:1a:c2:eb:56:eb:cc:58:59:3a:02:80:b6 –> 726