Billions of IoT Devices at Risk Because the RNG Module Doesn’t Always Produce Random Numbers
Security researchers have identified a vulnerability in the hardware random number generators (RNG) implemented in billions of IoT devices, which in theory would undermine the cryptographic process by providing not-so-random numbers.
Most modern IoT devices have a piece of dedicated hardware named RNG, implemented at the systems-on-a-chip (SoC) level, which is interrogated from the OS level whenever the need arises for a private key. While the process should be technically more than sufficient to produce unique numbers, it turns out that it doesn’t happen under several scenarios.
Due to a series of factors identified by Bishop Fox researchers, the RNG module doesn’t always work as it should.
“But it turns out that these ‘randomly’ chosen numbers aren’t always as random as you’d like when it comes to IoT devices,” said the researchers. “In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use.”
When the OS calls for a random number, two critical results have to be taken into consideration. The module offers a random number, but it can also return values specific to any number of error cases. As the researchers found out, no one really cares about these errors, and the OS ignores them, for the most part.
“So, the first question you might be asking is, ‘How many people out there in the wild actually check this error code?’ Unfortunately, the answer is almost nobody,” researchers added.
Three different problems can occur. RNG will produce a number using only partial entropy (not truly random), the number 0 or uninitialized memory. None of these scenarios are ideal, and researchers say that many IoT devices are likely offering 0 crypto keys.
The researchers conclude that this problem affects the entire IoT industry and recommend implementing a cryptographically secure pseudorandom number generator (CSPRNG) at the OS level. It’s not the kind of problem that can be fixed with a patch, and it will take some time before the industry catches up.
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns
January 19, 2023
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps
November 29, 2022
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022