A vulnerability in the foundation of Internet of Things (IoT) security affects billions of devices that have a random number generator (RNG), researchers with Bishop Fox disclosed this week.

Lead researcher Dan Petro and security consultant Allan Cecil, who will present their research at this week's DEF CON 29, say the RNG fails to properly generate random numbers and, as a result, undermines security for any upstream use.

For most security-related tasks, computers use an RNG to create secrets that form the basis for access controls, authentication, cryptography, and other operations. However, these "randomly" chosen numbers aren't always as random as users might like when it comes to IoT devices, researchers found. Many devices choose encryption keys of zero or worse, they say.

As of 2021, most new IoT systems-on-a-chip (SoCs) have a dedicated hardware RNG peripheral that is designed to address this problem. However, how this peripheral is used is "critically important" and, in the current state of IoT, is being used incorrectly, their report states.

"One of the hard parts about this vulnerability is that it's not a simple case of 'you zigged where you should have zagged' that can be patched easily," the researchers state in a blog post on their findings. "In order to remediate this issue, a substantial and complex feature has to be engineered into the IoT device."

The core vulnerability doesn't exist in a single device's SDK or in a specific SoC implementation, they explain. Researchers suggest the IoT needs a CSPRNG subsystem, which they define as a "cryptographically secure pseudo-random number generator (CSPRNG) subsystem" that is made available to applications as an API. CPSRNG can create an endless sequence of strong random numbers immediately.

Read the full blog post for details on their findings.