1 min read

Billions of IoT Devices at Risk Because the RNG Module Doesn’t Always Produce Random Numbers

Silviu STAHIE

August 10, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Billions of IoT Devices at Risk Because the RNG Module Doesn’t Always Produce Random Numbers

Security researchers have identified a vulnerability in the hardware random number generators (RNG) implemented in billions of IoT devices, which in theory would undermine the cryptographic process by providing not-so-random numbers.

Most modern IoT devices have a piece of dedicated hardware named RNG, implemented at the systems-on-a-chip (SoC) level, which is interrogated from the OS level whenever the need arises for a private key. While the process should be technically more than sufficient to produce unique numbers, it turns out that it doesn’t happen under several scenarios.

Due to a series of factors identified by Bishop Fox researchers, the RNG module doesn’t always work as it should.

“But it turns out that these ‘randomly’ chosen numbers aren’t always as random as you’d like when it comes to IoT devices,” said the researchers. “In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use.”

When the OS calls for a random number, two critical results have to be taken into consideration. The module offers a random number, but it can also return values specific to any number of error cases. As the researchers found out, no one really cares about these errors, and the OS ignores them, for the most part.

“So, the first question you might be asking is, ‘How many people out there in the wild actually check this error code?’ Unfortunately, the answer is almost nobody,” researchers added.

Three different problems can occur. RNG will produce a number using only partial entropy (not truly random), the number 0 or uninitialized memory. None of these scenarios are ideal, and researchers say that many IoT devices are likely offering 0 crypto keys.

The researchers conclude that this problem affects the entire IoT industry and recommend implementing a cryptographically secure pseudorandom number generator (CSPRNG) at the OS level. It’s not the kind of problem that can be fixed with a patch, and it will take some time before the industry catches up.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

1 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read