‘Creation of certificate for Fritzbox reveals host name via internet’

Spread the love

A new beta of firmware for the Fritzbox router lets users create a Let’s Encrypt certificate to enable management over the Internet over a secure connection. As a result, the host name is exposed to third parties, writes a German site.

Security researcher Hanno Böck writes on the Golem site that the certificates created via the function can be found using certificate transparency systems. For example, there are services that offer an api to search created certificates. An attacker could use this to find out the host names of Fitzbox routers, he says. If a vulnerability is found in, for example, the web interface, the routers run a risk.

Manufacturer AVM tells the site that “security models should go beyond hiding devices.” In addition, the https ports would be randomly assigned, which, according to Böck, only delays an attack by a few minutes. The researcher states that it is nevertheless a good idea on the part of the manufacturer to enable automatic creation of a certificate. He suggests that a warning to users might be in order that using the function reveals the hostname.

The Let’s Encrypt certificate creation feature can be found in the latest beta firmware for the Fritzbox 7490, the manufacturer announced this week. After creating a certificate, users can access their router via the MyFritz service over a secure connection.

You might also like