CPSEC-15: Device population shares same SSL/TLS & SSH keys
October 19, 2018
Summary: Cradlepoint devices are provisioned with SSL/TLS certificates and SSH host keys that are shared across subsets of the Cradlepoint device population. This sharing enables an attacker to recover the private key material from a device or firmware image and use it against another Cradlepoint administrator to implement a man-in-the-middle attack.
Mitigation: Involved upgrading to firmware version 7.0.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.