Monday, January 3

Encryption Fails - Embedded SSL Keys - PS3 root keys

A couple of noteworthy failures in the implementations of encryption.

The littleblackbox project over at google code aims to provide a list of all of the private keys embedded into device firmware by vendors that are too lazy to create unique private keys for devices.  This includes consumer devices, some commercial devices, basically anything that has a private key embedded in common firmware shipped with the device.  Once you have the private keys you can then decrypt future communications from the devices (read: admin interface traffic, SSL vpn session negotiation, etc).

This affects lots of products and software including many of the popular dd-wrt devices.

Want to add to the list of recognized private keys, simply download the binwalk tool and feed it a firmware file from your device.

It also appears that the root encryption key from Sony's PS3 game console has been discovered and posted by Geohot on his site.  Here is a video from fail0verflow's explanation of the weaknesses in the PS3 security model.
Post a Comment