August 6, 2021
A vulnerability in the foundation of Internet of Things (IoT) security affects billions of devices that have a random number generator (RNG), researchers with Bishop Fox disclosed this week.
Lead researcher Dan Petro and security consultant Allan Cecil, who will present their research at this week's DEF CON 29, say the RNG fails to properly generate random numbers and, as a result, undermines security for any upstream use.
For most security-related tasks, computers use an RNG to create secrets that form the basis for access controls, authentication, cryptography, and other operations. However, these "randomly" chosen numbers aren't always as random as users might like when it comes to IoT devices, researchers found. Many devices choose encryption keys of zero or worse, they say.
As of 2021, most new IoT systems-on-a-chip (SoCs) have a dedicated hardware RNG peripheral that is designed to address this problem. However, how this peripheral is used is "critically important" and, in the current state of IoT, is being used incorrectly, their report states.
"One of the hard parts about this vulnerability is that it's not a simple case of 'you zigged where you should have zagged' that can be patched easily," the researchers state in a blog post on their findings. "In order to remediate this issue, a substantial and complex feature has to be engineered into the IoT device."
The core vulnerability doesn't exist in a single device's SDK or in a specific SoC implementation, they explain. Researchers suggest the IoT needs a CSPRNG subsystem, which they define as a "cryptographically secure pseudo-random number generator (CSPRNG) subsystem" that is made available to applications as an API. CPSRNG can create an endless sequence of strong random numbers immediately.
Read the full blog post for details on their findings.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
Business Buyers Guide to Password Managers