Every Internet-connected device with a random number generator contains a vulnerability that fails to properly generate random numbers, researchers report.
A vulnerability in the foundation of Internet of Things (IoT) security affects billions of devices that have a random number generator (RNG), researchers with Bishop Fox disclosed this week.
Lead researcher Dan Petro and security consultant Allan Cecil, who will present their research at this week's DEF CON 29, say the RNG fails to properly generate random numbers and, as a result, undermines security for any upstream use.
For most security-related tasks, computers use an RNG to create secrets that form the basis for access controls, authentication, cryptography, and other operations. However, these "randomly" chosen numbers aren't always as random as users might like when it comes to IoT devices, researchers found. Many devices choose encryption keys of zero or worse, they say.
As of 2021, most new IoT systems-on-a-chip (SoCs) have a dedicated hardware RNG peripheral that is designed to address this problem. However, how this peripheral is used is "critically important" and, in the current state of IoT, is being used incorrectly, their report states.
"One of the hard parts about this vulnerability is that it's not a simple case of 'you zigged where you should have zagged' that can be patched easily," the researchers state in a blog post on their findings. "In order to remediate this issue, a substantial and complex feature has to be engineered into the IoT device."
The core vulnerability doesn't exist in a single device's SDK or in a specific SoC implementation, they explain. Researchers suggest the IoT needs a CSPRNG subsystem, which they define as a "cryptographically secure pseudo-random number generator (CSPRNG) subsystem" that is made available to applications as an API. CPSRNG can create an endless sequence of strong random numbers immediately.
Read the full blog post for details on their findings.
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024