Some estimates are that there are more than 9 billion IoT devices, so the report is very disturbing that “Designers of IoT devices need to pay closer attention to the encryption available on their devices.”  The December 16, 2019 report entitled “Weak Crypto Practice Undermining IoT Device Security” included these details from Keyfactor who was “able to break nearly 250,000 distinct RSA keys – many associated with routers, wireless access points, and other Internet-connected devices”:

Researchers at Keyfactor recently collected some 175 million RSA certificates and keys from the Internet using a proprietary SSL/TLS certificate discovery process and then analyzed the data using a particular mathematical method.

The analysis showed that roughly 435,000 of the RSA certificates analyzed—or roughly 1 in every 172 active certificate—were vulnerable to compromise or attack. A high percentage of the weak certificates belonged to routers, modems, firewalls, and other network devices. 

Other potentially impacted devices included cars and medical implants.

The problem, according to Keyfactor is the insufficient entropy—or randomness—that is used in generating encryption keys on these devices.

This gets worse since some estimates are that there will 20 billion IoT devices in the next couple of years!

Leave a Reply

Your email address will not be published. Required fields are marked *