Billions of IoT Devices at Risk Because the RNG Module Doesn’t Always Produce Random Numbers
Security researchers have identified a vulnerability in the hardware random number generators (RNG) implemented in billions of IoT devices, which in theory would undermine the cryptographic process by providing not-so-random numbers.
Most modern IoT devices have a piece of dedicated hardware named RNG, implemented at the systems-on-a-chip (SoC) level, which is interrogated from the OS level whenever the need arises for a private key. While the process should be technically more than sufficient to produce unique numbers, it turns out that it doesn’t happen under several scenarios.
Due to a series of factors identified by Bishop Fox researchers, the RNG module doesn’t always work as it should.
“But it turns out that these ‘randomly’ chosen numbers aren’t always as random as you’d like when it comes to IoT devices,” said the researchers. “In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use.”
When the OS calls for a random number, two critical results have to be taken into consideration. The module offers a random number, but it can also return values specific to any number of error cases. As the researchers found out, no one really cares about these errors, and the OS ignores them, for the most part.
“So, the first question you might be asking is, ‘How many people out there in the wild actually check this error code?’ Unfortunately, the answer is almost nobody,” researchers added.
Three different problems can occur. RNG will produce a number using only partial entropy (not truly random), the number 0 or uninitialized memory. None of these scenarios are ideal, and researchers say that many IoT devices are likely offering 0 crypto keys.
The researchers conclude that this problem affects the entire IoT industry and recommend implementing a cryptographically secure pseudorandom number generator (CSPRNG) at the OS level. It’s not the kind of problem that can be fixed with a patch, and it will take some time before the industry catches up.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021