Researchers Discover Encryption Flaws in RSA Certificates, Affecting IoT Devices Primarily

Written by Bill Toulas
Last updated December 18, 2019

Researchers from the "Keyfactor" cyber-security team warn the public about specific encryption weaknesses that underpin 1-in-172 RSA digital certificates and keys that are used today. This means that about 0.58% of the IoT (Internet of Things) devices that are in operation right now are vulnerable to factoring attacks. The main cause of the vulnerability is the poor entropy which results in narrow-range randomness which finally leads to the generation of weak keys/certificates. Simply put, attackers can guess the encrypted data because 1-in-172 features the same prime factors in the randomization process.

The team has found out that over 435,000 certificates right now are using a common factor to generate keys, with the issue impacting modems, firewalls, routers, and IoT devices. If a hacker guesses the key, they could intercept encrypted communications, eavesdrop the user of the flawed device, and even launch a complete takeover attack. The researchers believe that it is the low power of many of these devices that makes it hard for them to generate strong enough keys. On desktops, they found that common factors were used in only 1-in-20 million certificates, so this is not a problem on adequately powered systems.

This raises many questions around the security of weaker devices where Amazon wants to deploy its Alexa AI. If these severely underpowered IoT devices are unable to generate strong security keys, they could serve as easily exploitable entry points for malicious actors. Remember, having a single device compromised by hackers means that the possibility for deeper network infiltration and lateral movement opens up. For this reason, you are always advised to set up and use a separate Wi-Fi network for the IoT devices inside your house.

The Keyfactor study highlights the significance of having a strong RSA encryption, and the deception that is created when it’s merely present. Many IoT manufacturers tout their devices’ capability to generate encryption keys, implying unbreakable security and privacy, but as we realize now, this is not always the case. To make matters worse, the flawed devices are very difficult to patch as many of them don’t even support patching, are inaccessible to the vendor, or are simply no longer supported. All that said, it is time for the consumer to start treating IoT devices with care, and this means to identify the risks that come with using them and take the appropriate precautionary measures.

Are you comfortable with the IoT devices that are active in your home? Let us know in the comments beneath, or join the discussion on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: