IoT Devices affected by random number generator flaw
Many Internet of Things (IoT) devices are at the risk of an attack due to a critical vulnerability found in the hardware random number generators used in them. It specifies a failure to create random numbers, indicating a security threat.
Dan Petro and Allan Cecil, researchers at Bishop Fox, highlighted that the random numbers in IoT devices aren’t always too random, as these devices, in most cases, choose encryption keys of 0. This can lead to serious security concerns.
The Internet of things involves the network of physical objects that have sensors, software, and other technologies embedded in them so that these can connect and share data with other devices and systems that are present on the internet.
Researchers noted that running out of entropy is one of the most prominent reasons for the HAL function to the RNG peripheral failure due to the finite supply, although the means are endless. It was also identified that if the RNG HAl function is called when it doesn’t have any random number, it will return an error code. Thus, the calls fail if the device wants to get too many random numbers in very little time.
This issue is not very common in the IoT umbrella due to the lack of OS with randomness API. The researchers pointed out the advantages of a bigger entropy pool linked to a CSPRNG subsystem, suggesting that they eliminate the chances of failure.
These issues can also be catered to with software updates, but a perfect solution suggests that IoT device makers should include a CSPRNG API that stems from diverse entropy sources and assure that error conditions are not overlooked. The researchers also stated that this vulnerability could not be fixed easily as the implementation of the API in OS is a very complex procedure.