An Unexpected IoT Problem: Not Enough Randomness

By Pim Tuyls, Intrinsic-ID
eeNewsEurope (October 12, 2021)

A critical flaw in random number generators puts the security of billions of low-cost IoT devices at risk. This means a new approach for generating random numbers is needed, which can be found in extracting entropy from SRAM behaviour. This only requires a software installation, meaning the security systems of billions of devices can be patched without the need to make hardware changes, even in devices that have already been deployed.

Every day brings news of attacks on devices connected to the Internet of Things (IoT). The number of connected devices in the IoT is rapidly increasing, and the number of attacks on these devices is growing at an even more explosive rate.

In the first half of 2021, the number of attacks on IoT devices has mre than doubled to 1.5 billion attacks in just six months. Some are high-profile attacks, that gain a lot of media attention, like the Colonial Pipeline hack or new botnet attacks in the spirit of Mirai. But there have also been countless attacks on very personal devices such as baby monitors and even cardiac devices.

There are some typical areas of weakness in IoT devices that are exploited frequently. Examples like weak passwords, lack of regular patches and updates, insecure interfaces, and insufficient data protection are all too common when it comes to these attacks. However, researchers from Bishop Fox have recently identified a new critical vulnerability of IoT devices that might not be obvious to many of us. Their recent study shows that hardware random number generators (RNGs) used in billions of IoT devices fail to provide sufficient entropy.

To read the full article, click here