Submitted via IRC for SoyCow4408
A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won't be an easy one to solve.
This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations were being repeated at a far greater rate than they should, meaning encrypted connections could possibly be broken by attackers who correctly guess a key.
Comparing the millions of keys on an Azure cloud instance, the team found common factors were used to generate keys at a rate of 1 in 172 (435,000 in total). By comparison, the team also analyzed 100 million certificates collected from the Certificate Transparency logs on desktops, where they found common factors in just five certificates, or a rate of 1 in 20 million.
The team believes that the reason for this poor entropy is down to IoT devices. Because the embedded gear is often based on very low-power hardware, the devices are unable to properly generate random numbers.
The result is keys that could be easier for an attacker to break, leaving the device and all of its users vulnerable.
Source: https://www.theregister.co.uk/2019/12/16/internet_of_crap_encryption/
(Score: 3, Interesting) by driverless on Wednesday December 18 2019, @06:27AM (4 children)
This is just more IoS practice, nothing much to do with them being low-powered devices. In fact a huge amount of IoS stuff is Linux-powered, which has decent entropy sources and management. If you do care about security it's really not hard to get right even with zero entropy sources and no OS support because even when you're on some genuinely restricted device running eCos or VxWorks or similar (not a full OS like Linux) you just load a random seed into the device when it's provisioned and you're set.
Of course, you actually have to care about security for that.
(Score: 1, Informative) by Anonymous Coward on Wednesday December 18 2019, @09:44AM (2 children)
Well, Linux is pretty good about estimating entropy. But it doesn't magically create it where none is available. Embedded devices often don't have *any* good source of entropy available.
The thing that has to happen is IoT vendors need to use good-quality hardware RNGs. Even cheap $5 microcontrollers have these, and if for some reason yours doesn't, there are cheap $3 crypto ASICs that have those, plus AES encryption, key storage, and a variety of other features of varying usefulness. But for that, the vendors have to actually care about security. User security isn't worth $0.30 to most of them, much less $3.
(Score: 2) by driverless on Wednesday December 18 2019, @12:40PM (1 child)
You're thinking about this like a security person, not a hardware vendor. Adding a "cheap $3 crypto ASIC" can double the BOM for something that adds no value to the buyer, as well as requiring a hardware redesign to fit it, maybe changing the form factor and certainly changing the power budget. Getting good randomness costs close to zero, with no change to the hardware, if you just care about security enough to load a random seed as part of the provisioning process. That's what we do with every embedded device we ship, whether it claims to have a proper entropy source or not.
The problem is that vendors of IoS don't care about security much (see the near-infinite other security holes in their crap), not whether they have a hardware RNG or not.
(Score: 3, Interesting) by DannyB on Wednesday December 18 2019, @04:49PM
Security HAS value to the buyer. It's just that buyers assume it is already included in the package.
This is why those vendors need to have direct liability for all damages. Make them care. They could make these IoT devices be the Security Hardened Internet of Things. (SHIoT)
Why is it so difficult to break a heroine addiction?
(Score: 2) by FatPhil on Wednesday December 18 2019, @04:18PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by stormwyrm on Wednesday December 18 2019, @06:29AM (2 children)
This is a topic that's been one of the focuses of my current diversions into hardware hacking, and I'm finding that making a good hardware random number generator is far from a trivial task. But that's not an excuse to not even try. I recently found a paper [iacr.org] that shows how a reasonably robust and auditable hardware RNG with reasonable levels of power consumption can be made that occupies about 16-18 mm of physical circuit board space on a side and costs about $1.44 in additional parts. Even smaller circuits [betrusted.io] are possible.
Numquam ponenda est pluralitas sine necessitate.
(Score: 0) by Anonymous Coward on Wednesday December 18 2019, @09:33AM (1 child)
just use some random memory address.
(Score: 2) by Freeman on Wednesday December 18 2019, @04:06PM
Or just base it on a fair dice roll.
https://www.xkcd.com/221/ [xkcd.com]
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Dr Spin on Wednesday December 18 2019, @07:15AM (1 child)
Genuinely random information is available at almost all the inputs to the device relatively painlessly.
You might want to google "entropy".
Unfortunately, actual knowledge is needed to write the software competently, and there is no evidence
that the people responsible for IoT devices have anything that could be described as knowledge or competence.
Hint: cut and paste from Sourceforge or Github is not "writing software". I should know: I wrote some of that stuff.
Warning: Opening your mouth may invalidate your brain!
(Score: 3, Informative) by stormwyrm on Wednesday December 18 2019, @02:11PM
Numquam ponenda est pluralitas sine necessitate.