1 min read

Billions of IoT Devices at Risk Because the RNG Module Doesn’t Always Produce Random Numbers

Silviu STAHIE

August 10, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Billions of IoT Devices at Risk Because the RNG Module Doesn’t Always Produce Random Numbers

Security researchers have identified a vulnerability in the hardware random number generators (RNG) implemented in billions of IoT devices, which in theory would undermine the cryptographic process by providing not-so-random numbers.

Most modern IoT devices have a piece of dedicated hardware named RNG, implemented at the systems-on-a-chip (SoC) level, which is interrogated from the OS level whenever the need arises for a private key. While the process should be technically more than sufficient to produce unique numbers, it turns out that it doesn’t happen under several scenarios.

Due to a series of factors identified by Bishop Fox researchers, the RNG module doesn’t always work as it should.

“But it turns out that these ‘randomly’ chosen numbers aren’t always as random as you’d like when it comes to IoT devices,” said the researchers. “In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use.”

When the OS calls for a random number, two critical results have to be taken into consideration. The module offers a random number, but it can also return values specific to any number of error cases. As the researchers found out, no one really cares about these errors, and the OS ignores them, for the most part.

“So, the first question you might be asking is, ‘How many people out there in the wild actually check this error code?’ Unfortunately, the answer is almost nobody,” researchers added.

Three different problems can occur. RNG will produce a number using only partial entropy (not truly random), the number 0 or uninitialized memory. None of these scenarios are ideal, and researchers say that many IoT devices are likely offering 0 crypto keys.

The researchers conclude that this problem affects the entire IoT industry and recommend implementing a cryptographically secure pseudorandom number generator (CSPRNG) at the OS level. It’s not the kind of problem that can be fixed with a patch, and it will take some time before the industry catches up.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read