Internet of crap (encryption): IoT gear generates easy-to-crack keys
Poor entropy in embedded devices leading to weaker certificates: study
A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won't be an easy one to solve.
This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations were being repeated at a far greater rate than they should, meaning encrypted connections could possibly be broken by attackers who correctly guess a key.
Comparing the millions of keys on an Azure cloud instance, the team found common factors were used to generate keys at a rate of 1 in 172 (435,000 in total). By comparison, the team also analyzed 100 million certificates collected from the Certificate Transparency logs on desktops, where they found common factors in just five certificates, or a rate of 1 in 20 million.
The team believes that the reason for this poor entropy is down to IoT devices. Because the embedded gear is often based on very low-power hardware, the devices are unable to properly generate random numbers.
The result is keys that could be easier for an attacker to break, leaving the device and all of its users vulnerable.
"The widespread susceptibility of these IoT devices poses a potential risk to the public due to their presence in sensitive settings," Keyfactor researchers Jonathan Kilgallin and Ross Vasko noted.
"We conclude that device manufacturers must ensure their devices have access to sufficient entropy and adhere to best practices in cryptography to protect consumers."
The recommendation is that IoT hardware vendors step up their security efforts to improve the entropy of these devices and make sure that their hardware is able to properly set up secure connections.
If vendors don't step up and address the issue, there is a good chance that criminal hackers will. The team says its experiments showed that this sort of attack could be pulled off without much in the way of an up-front investment.
"With modest resources, we were able to obtain hundreds of millions of RSA keys used to protect real-world traffic on the internet," said Kilgallin and Vasko.
"Using a single cloud-hosted virtual machine and a well-studied algorithm, over 1 in 200 certificates using these keys can be compromised in a matter of days." ®