10th August 2021, Kathmandu
There is a serious vulnerability in the hardware random number generators used in billions of Internet of Things (IoT) devices that do not generate random numbers correctly, compromising their security and putting them at risk of attack.
“It turns out that when it comes to IoT devices, these ‘randomly’ selected numbers are not always as random as you would like,” said Bishop Fox researchers Dan Petro and Allan Cecil in an analysis published Say last week. “In fact, in many cases, the device chooses an encryption key of 0 or worse. This can lead to a catastrophic security breakdown from any upstream use.”
Random Number Generation (RNG) is the key to supporting multiple encryption applications The process includes key generation, random number, and salting. In traditional operating systems, it is derived from a cryptographically secure pseudo-random number generator (CSPRNG) that uses entropy obtained from a high-quality seed source.
As far as IoT devices are concerned, these are provided by a system-on-chip (SoC), which contains a dedicated hardware RNG peripheral called a true random number generator (TRNG) to capture the randomness of physical processes or phenomena.
pointed out that the current method of invoking peripherals is incorrect. Researchers pointed out that the lack of comprehensive control over the response to the error code resulted in the random number generated not only being random, but worse, predictable. , Resulting in partial entropy, uninitialized memory, and even an encryption key containing a single zero.
