Accessibility Resource Center Skip to main content
Get up to $500 when you bring your phone. Plus, get the incredible iPhone 13 Pro on us. Online only. With select 5G Unlimited plans. Ends 12.5. Buy now
end of navigation menu

SSL certificate warning - known private key in the Actiontec router

Reply
Concerned_User
Contributor
Contributor
Posts: 2
Registered: ‎05-24-2014

SSL certificate warning - known private key in the Actiontec router

Message 1 of 6
(2,680 Views)

Hi,

 

I tested our LAN security using nmap on network 192.168.1.0/24.  The program spit out a warning when it scanned the router:

.. open ssl/http Verizon FIOS Actiontec http config...SHA-1: 438 33c0 94f6 afc8....

... _ssl-known-key: Found in Little Black Box 0.1...https://code.google.com/p/littleblackbox...

 

I went to this website and this is what it says:

 

LittleBlackBox is a collection of thousands of private SSL and SSH keys extracted from various embedded devices. These private keys are stored in a database where they are correlated with their public certificates as well as the hardware/firmware that are known to use those private keys.

A command line utility is included to aid in the identification of devices or network traffic that use these known private keys. Given a public certificate, the utility will search the database to see if it has a corresponding private key; if so, the private key is displayed and can be used for traffic decryption or MITM attacks. Alternatively, it will also display a table of hardware and firmware that is known to use that private key.

The utility can obtain a public certificate several different ways:

  1. You may give it the path to a public SSL certificate file.
  2. You may give it the SHA1 hash of a public SSL/SSH certificate.
  3. Given a host, it will retrieve the host's public SSL certificate.
  4. Given a pcap file, it will parse the file looking for public SSL certificate exchanges.
  5. Given a live network interface, it will listen for public SSL certificate exchanges.

I clicked on FAQ, at https://code.google.com/p/littleblackbox/wiki/FAQ, and it says:

 

2. My router/VPN/printer/server/etc is listed in the LittleBlackBox database. What do I do?

If you have the ability to change the default SSL certificates, do so immediately. If this is not possible, then treat your HTTPS sessions as if they were un-secure HTTP sessions. It may also be possible to tunnel your connections through another service, such as SSH.
Is my SSL unsecure?  How do I (Verizon) fix it?
Thanks!

 

 

 

 

 

5 REPLIES 5
Hubrisnxs
Platinum Contributor III
Platinum Contributor III
Posts: 5,881
Registered: ‎07-22-2009

Re: SSL certificate warning - known private key in the Actiontec router

Message 2 of 6
(2,660 Views)

 that question might be better for actiontec tech support instead of Verizon,  I am pretty sure you won't find anyone at Verizon that would be able to answer that question very easily if at all, so I would send that question over to actiontec

 

I am curious what their answer would be too, so I sent the same question to them, but they won't answer until monday or tuesday (their site says emails answered mon-fri) and they probably observe memorial day holiday, so tues or wed is when I Would expect to hear from them. .

tns2
Platinum Contributor III Platinum Contributor III
Platinum Contributor III
Posts: 4,437
Registered: ‎12-16-2012

Re: SSL certificate warning - known private key in the Actiontec router

Message 3 of 6
(2,634 Views)

All that would mean is that someone FROM INSIDE YOUR NETWORK, can snoop on your Secure connection to your router.  Since most people don't use https://192.168.1.1 but use http://192.168.1.1 to connect its not like its a big deal.

Concerned_User
Contributor
Contributor
Posts: 2
Registered: ‎05-24-2014

Re: SSL certificate warning - known private key in the Actiontec router

Message 4 of 6
(2,583 Views)

I asked Actiontec for information and they said that it's not their fw, but Verizon's.  They just make the hw.

 

That being said, will Verizon fix this issue?

tns2
Platinum Contributor III Platinum Contributor III
Platinum Contributor III
Posts: 4,437
Registered: ‎12-16-2012

Re: SSL certificate warning - known private key in the Actiontec router

Message 5 of 6
(2,580 Views)

Read my earlier statement.  Essentially only effects the web pages YOU use to configure your router, and most don't even use a SSL interface to get to those pages.

 

However I wouldn't be surprised that the OPENSSL patches would be included in some future update of the router.  Verizon, like most others, reviewed all their software to see wher the OPENSSL code was used and might need to be patched, the high priority things being the WEB Pages for their sites, and boxes that control their network.

pquirk
Contributor
Contributor
Posts: 4
Registered: ‎05-29-2012

Re: SSL certificate warning - known private key in the Actiontec router

Message 6 of 6
(2,211 Views)

The ciphers in this software are also weak. RC4 should be removed and strong 256-bit ciphers should be added. There hasn't been a software update for over a year, despite the major openSSL bugs reported last year. It's hard to believe that anyone at Verizon is tasked with keeping these modems secure. 

How-To Videos
 
The following videos were produced by users like you!
   
Videos are subject to the Verizon Fios Community Terms of Service and User Guidelines and contains content that is not created by Verizon.
Have a spare Fios-G1100?Learn how to bridge it into your network
Get Started


Covid19

Browse Categories
Categories:
Posts

Verizon Troubleshooters
Unable to find your answer here? Try searching Verizon Troubleshooters for more options.
Modal Dialogue Title