More than 26,000 Cisco devices sold by Australia’s dominant telco Telstra are open to hijacking via hardcoded SSH login keys and SSL certificates.
The baked-in HTTPS server-side certificates and SSH host keys were found by Sec Consult during a study of thousands of router and Internet of Things gizmos.
Cisco warns that miscreants who get hold of these certificates, can decrypt web traffic to a router’s builtin HTTPS web server via man-in-the-middle attacks. The web server is provided so people can configure devices from their browsers. The decrypted traffic will reveal usernames, passwords, and other sensitive information.
To read the entire article, please click here.