An Unexpected IoT Problem: Not Enough Randomness

October 12, 2021 // By Pim Tuyls
An Unexpected IoT Problem: Not Enough Randomness
A critical flaw in random number generators puts the security of billions of low-cost IoT devices at risk. This means a new approach for generating random numbers is needed, which can be found in extracting entropy from SRAM behaviour. This only requires a software installation, meaning the security systems of billions of devices can be patched without the need to make hardware changes, even in devices that have already been deployed.

Every day brings news of attacks on devices connected to the Internet of Things (IoT). The number of connected devices in the IoT is rapidly increasing, and the number of attacks on these devices is growing at an even more explosive rate.

In the first half of 2021, the number of attacks on IoT devices has mre than doubled to 1.5 billion attacks in just six months. Some are high-profile attacks, that gain a lot of media attention, like the Colonial Pipeline hack or new botnet attacks in the spirit of Mirai. But there have also been countless attacks on very personal devices such as baby monitors and even cardiac devices.

There are some typical areas of weakness in IoT devices that are exploited frequently. Examples like weak passwords, lack of regular patches and updates, insecure interfaces, and insufficient data protection are all too common when it comes to these attacks. However, researchers from Bishop Fox have recently identified a new critical vulnerability of IoT devices that might not be obvious to many of us. Their recent study shows that hardware random number generators (RNGs) used in billions of IoT devices fail to provide sufficient entropy.

The use of random number generators

Protecting IoT connected devices, their communications, and their data requires the implementation of cryptographic systems on these typically low-cost devices. An important building block for these systems is an RNG. Random numbers are important, because for most cryptographic protocols they provide the required unpredictability to fend off potential attackers. For example, encryption keys are created from random numbers to make it impossible for an attacker to guess these keys and break the encryption.

There are two main ways to create random numbers on a device. In the first approach, random numbers are generated by a truly random physical source on the device that provides enough randomness to serve all cryptographic protocols that need to run on a device.

Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.