- A team of researchers has found out that many devices use a common factor in the RSA key generation process.
- In the majority of the problematic cases, the reason behind the issue is underpowered hardware.
- Vendors of IoTs are promoting encrypted communication features, and consumers are convinced by the claims.
Researchers from the “Keyfactor” cyber-security team warn the public about specific encryption weaknesses that underpin 1-in-172 RSA digital certificates and keys that are used today. This means that about 0.58% of the IoT (Internet of Things) devices that are in operation right now are vulnerable to factoring attacks. The main cause of the vulnerability is the poor entropy which results in narrow-range randomness which finally leads to the generation of weak keys/certificates. Simply put, attackers can guess the encrypted data because 1-in-172 features the same prime factors in the randomization process.
The team has found out that over 435,000 certificates right now are using a common factor to generate keys, with the issue impacting modems, firewalls, routers, and IoT devices. If a hacker guesses the key, they could intercept encrypted communications, eavesdrop the user of the flawed device, and even launch a complete takeover attack. The researchers believe that it is the low power of many of these devices that makes it hard for them to generate strong enough keys. On desktops, they found that common factors were used in only 1-in-20 million certificates, so this is not a problem on adequately powered systems.
This raises many questions around the security of weaker devices where Amazon wants to deploy its Alexa AI. If these severely underpowered IoT devices are unable to generate strong security keys, they could serve as easily exploitable entry points for malicious actors. Remember, having a single device compromised by hackers means that the possibility for deeper network infiltration and lateral movement opens up. For this reason, you are always advised to set up and use a separate Wi-Fi network for the IoT devices inside your house.
The Keyfactor study highlights the significance of having a strong RSA encryption, and the deception that is created when it’s merely present. Many IoT manufacturers tout their devices’ capability to generate encryption keys, implying unbreakable security and privacy, but as we realize now, this is not always the case. To make matters worse, the flawed devices are very difficult to patch as many of them don’t even support patching, are inaccessible to the vendor, or are simply no longer supported. All that said, it is time for the consumer to start treating IoT devices with care, and this means to identify the risks that come with using them and take the appropriate precautionary measures.