A new flaw in the security of Internet of Things (IoT) hardware – as is frequently employed in remote-work environments – is said to affect more than 35 billion devices, worldwide.
According to Bishop Fox Labs, the vulnerability applies to virtually “every IoT device with a hardware random number generator (RNG).” The risk comes in the RNG failing to generate a truly random number, thus undermining security in cases of upstream use. This technology forms what Bishop Fox calls “the basis of cryptography, access controls, authentication and more.”
Bishop Fox claims that new IoT systems-on-chip have a dedicated hardware RNG peripheral, but that “the current state of the art in IoT can only be aptly described as ‘doing it wrong’,” with most developers failing to check error-code responses, most devices failing statistical analysis tests and the raw entropy of IoT hardware RNG peripherals varying in terms of quality.
The address the flaw, the source recommends:
- Device Owners – Apply software patches and updates as they become available, remain wary of trusting IoT devices “too much” and place hardware on dedicated network segments that can only reach out externally.
- Device Developers – Select IoT devices with a CSPRING API seeded from various entropy sources, regularly review libraries and code and consider implications for blocking not being available.
- Device Manufacturers – Deprecate or disable direct-use RNG HAL functions in the SDK, including a CSPRING API with varied entropy sources and proper hardware RNG handling.
