Advantech Clears Hard-Coded SSH Keys from EKI Switches

Critical industrial switches used worldwide for automation contained hard-coded SSH keys that put devices and networks at risk.

Advantech, a Taiwanese distributor, has developed new firmware for its EKI-122x series of products that remove the hard-coded SSH keys. SSH keys are a means by which computers authenticate one another without the need for a password.

The issue was reported by Neil Smith, a researcher with ZeroFox who has disclosed numerous bugs including this one to the Industrial Control System Cyber Emergency Readiness Team (ICS-CERT).

Advantech said the hard-coded SSH keys were found in:

  • EKI-136* product line prior to firmware version 1.27,
  • EKI-132* product line prior to firmware version 1.98, and
  • EKI-122*-BE product line prior to firmware version 1.65.

ICS-CERT published an advisory warning that the issue could be exploited remotely.

“An attacker who exploits this vulnerability may be able to intercept communications to and from this device,” ICS-CERT said in its advisory, adding that it is not aware of public exploits.

The patched firmware has been available for a couple of weeks, ICS-CERT said.

“For the EKI‑122*-BE (v1.65) and EKI-136* (v1.27) product lines, HTTPS and SSH is disabled. For the EKI‑132* (v1.98) product line, additional configurations were added to allow customization for the HTTPS and SSH keys,” the advisory said.

Provided from: Techcrunch.