Stories
Slash Boxes
Comments

SoylentNews is people

Internet of Crap (Encryption): IoT Gear is Generating Easy-To-Crack Keys

posted by martyb on Wednesday December 18 2019, @03:23AM   Printer-friendly
from the random-error dept.

MrPlow writes:

Submitted via IRC for SoyCow4408

A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won't be an easy one to solve.

This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations were being repeated at a far greater rate than they should, meaning encrypted connections could possibly be broken by attackers who correctly guess a key.

Comparing the millions of keys on an Azure cloud instance, the team found common factors were used to generate keys at a rate of 1 in 172 (435,000 in total). By comparison, the team also analyzed 100 million certificates collected from the Certificate Transparency logs on desktops, where they found common factors in just five certificates, or a rate of 1 in 20 million.

The team believes that the reason for this poor entropy is down to IoT devices. Because the embedded gear is often based on very low-power hardware, the devices are unable to properly generate random numbers.

The result is keys that could be easier for an attacker to break, leaving the device and all of its users vulnerable.

Source: https://www.theregister.co.uk/2019/12/16/internet_of_crap_encryption/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Internet of Crap (Encryption): IoT Gear is Generating Easy-To-Crack Keys | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Wednesday December 18 2019, @04:18PM

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Wednesday December 18 2019, @04:18PM (#933763) Homepage
    Some prior instances of this problem have been because of the key generating devices being ultra-low power/capability, meaning that corners were cut. I'm thinking of some issues of ID cards here in Estonia (which permit be to do everything, identify myself to my bank, pay my taxes, sign my company accounts, etc., so really really really important parts of the Estonian IT infrastructure). Tests showed that the primes were exhibitting something terrible like only 64 bits of entropy, rather than many hundreds. Of course, they were third party, and the supplier got a slap and its name dragged through the dirt a bit, and it got fixed (maybe even another chip supplier, I forget now. If the code running on the card had been open source, or even shared source, none of this would have happened, of course, as the crappy algorithm used would jump out like a huge red flag on even a cursary security audit.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2