The LittleBlackBox project does host 2,000 SSL public-private key pairs extracted from gateways, routers…
It seems that some manufacturers did use the same SSL key pair for all the instances of a given hardware and firmware. The project attempts to collect the largest collection of such keys together with the details of corresponding firmware and hardware. Once you know the used keys, it is possible to mount a man in the middle attack. This is clearly the aim of this project.
What is difficult to believe is that many devices share a single key pair. Good security practice requests to use a unique key pair per device. Why should a manufacturer use only one key pair? Most probably because it simplifies the manufacturing. Providing an individual key pair for each box is complex (especially in a “hostile” environment such as a factory). Nevertheless, it is an incredible wrong design decision not to do so. Furthermore, manufacturers can even not revoke the leaked keys because else they would also revoke genuine devices!
Good news for Technicolor’s customers, our devices do not have such flaw.
Lesson: There are some economic-driven decisions that should not be allowed to have secure solutions. Security has a price.
Thanks Patrice for the pointer