Researchers Find Flaw in IoT Devices Random Number Generator

Every Internet-connected device with a random number generator contains a vulnerability that fails to properly generate random numbers, researchers report.

A vulnerability in the foundation of Internet of Things (IoT) security affects billions of devices that have a random number generator (RNG), researchers with Bishop Fox disclosed this week.
Lead researcher Dan Petro and security consultant Allan Cecil, who will present their research at this weeks DEF CON 29, say the RNG fails to properly generate random numbers and, as a result, undermines security for any upstream use.
For most security-related tasks, computers use an RNG to create secrets that form the basis for access controls, authentication, cryptography, and other operations. However, these randomly chosen numbers arent always as random as users might like when it comes to IoT devices, researchers found. Many devices choose encryption keys of zero or worse, they say.
As of 2021, most new IoT systems-on-a-chip (SoCs) have a dedicated hardware RNG peripheral that is designed to address this problem. However, how this peripheral is used is critically important and, in the current state of IoT, is being used incorrectly, their report states.
One of the hard parts about this vulnerability is that its not a simple case of you zigged where you should have zagged that can be patched easily, the researchers state in a blog post on their findings. In order to remediate this issue, a substantial and complex feature has to be engineered into the IoT device.
The core vulnerability doesnt exist in a single devices SDK or in a specific SoC implementation, they explain. Researchers suggest the IoT needs a CSPRNG subsystem, which they define as a cryptographically secure pseudo-random number generator (CSPRNG) subsystem that is made available to applications as an API. CPSRNG can create an endless sequence of strong random numbers immediately.
Read the
full blog post
for details on their findings.

Last News
▸ Watch out for risks in HTML5 development ◂ Discovered: 26/12/2024 Category: security	▸ Google defies surveillance gag. ◂ Discovered: 26/12/2024 Category: security	▸ FBI searches for license photos spark privacy concerns. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Find Flaw in IoT Devices Random Number Generator