"Fundamental Flaw in RNGs Affects Many IoT Devices"

According to researchers Allan Cecil and Dan Petro from Bishop Fox, most modern Internet of Things (IoT) devices have flawed hardware-based Random Number Generators (RNGs). These RNGs have a fundamental flaw that weakens the security of the encryption keys that they generate for communications. The RNGs do not truly produce random numbers. This is a serious problem, given that the whole purpose of the RNG is to generate random numbers, which are then used as seeds for encryption keys. The vulnerability is not limited to a group of vendors or specific IoT operating systems. The researchers stress that it is a widespread problem, and there is currently no simple way to address it. The problem stems from the fact that the hardware RNGs in IoT devices give errors relatively often, and the software normally does not check those error codes. A contributing factor to this problem is that, by design, IoT devices are generally fairly bare-bones regarding software. Therefore, they do not have the safety net of an Operating System (OS) to help deal with serious errors. One of the researchers pointed out that we are just running C or C++ on bare metal, and the return error codes on the RNG are not checked. The researchers call on designers of IoT operating systems to implement a cryptographically secure RNG (CSPRNG) in their OS, which is said to be the most straightforward and effective way to address the weakness in the RNGs on IoT devices. Unlike RNGs, CSPRNGs are not hardware-based and are designed to be attack-resistant. CSPRNGs also do not have the failure states that RNGs do. The CSPRNG subsystem can immediately generate an endless sequence of strong random numbers, which addresses the problem of HAL functions that either block program execution or fail. Cecil and Petro say the problem is not the result of errors made by various developers who write software for IoT devices, as it is a systemic issue with the way in which RNGs function. This article continues to discuss the critical RNG flaw affecting billions of IoT devices and the most effective way suggested by Bishop Fox researchers to address the weakness.

Decipher reports "Fundamental Flaw in RNGs Affects Many IoT Devices"