A recent study revealed a major vulnerability in RSA keys, especially in IoT devices. Researchers found that about 1 in 172 keys share a factor with another, making them vulnerable to attack. This issue is mainly caused by poor random number generation during key creation, which is common in IoT devices with limited entropy sources.
All about the vulnerability
RSA key security relies on two large prime numbers used to generate the public key. If these primes aren’t chosen randomly, multiple keys may share a prime factor. By calculating the Greatest Common Divisor (GCD) of two RSA moduli, attackers can easily find shared factors, compromising both keys.
This method is simpler than factoring the RSA modulus and works well for large datasets. The widespread use of IoT devices increases the risk, as compromising them could have serious consequences.
The study analyzed 75 million RSA keys and added 100 million certificates from Certificate Transparency logs. It found a higher vulnerability rate in the broader internet dataset, mainly due to IoT devices with limited entropy, which lead to predictable random number generation.
Similar vulnerabilities were found in 2012 and 2016, where many keys were compromised due to shared factors.
Impacts
This vulnerability poses serious risks, especially with the growing use of IoT devices in critical sectors like healthcare and transportation. Attacks could lead to data breaches or even physical harm.
Patching IoT devices is difficult due to their decentralized nature and lack of centralized management. The availability of cloud computing makes it easier for attackers to exploit these weaknesses at low cost.
To reduce risks, manufacturers should ensure keys are generated with enough randomness, using external entropy sources. Improved patching systems and greater awareness of IoT security are also needed. Addressing these vulnerabilities is crucial as the IoT ecosystem continues to grow.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment