A failure by many IoT device manufacturers to follow cryptographic best practices is leaving a high proportion of the devices vulnerable to attack, researchers warn.
Researchers at Keyfactor recently collected some 175 million RSA certificates and keys from the Internet using a proprietary SSL/TLS certificate discovery process and then analyzed the data using a particular mathematical method.
The analysis showed that roughly 435,000 of the RSA certificates analyzed—or roughly 1 in every 172 active certificate—were vulnerable to compromise or attack. A high percentage of the weak certificates belonged to routers, modems, firewalls, and other network devices. Other potentially impacted devices included cars and medical implants.
The problem, according to Keyfactor is the insufficient entropy—or randomness—that is used in generating encryption keys on these devices.
RSA keys enable encrypted communication on the Internet. An RSA key is basically the product of two equally large and random prime numbers, both of which are private. "The security of RSA relies on the inability of another party to determine [the] two randomly chosen prime numbers from which the RSA public key is derived," Keyfactor researcher Jonathan Kilgallin said in a technical paper presented last week at an IEEE conference on trust and privacy in Los Angeles.
Normally, no two RSA keys should share the same prime factors. But Keyfactor's research showed about 435,000 certificates had a shared prime factor. This made it relatively easier to apply mathematical techniques to try and derive—or to factor—the entire original RSA key. All it took Keyfactor researchers to crack about 250,000 of the vulne ..
Support the originator by clicking the read the rest link below.
