Security News > 2021 > August > A Critical Random Number Generator Flaw Affects Billions of IoT Devices
A critical vulnerability has been disclosed in hardware random number generators used in billions of Internet of Things devices whereby it fails to properly generate random numbers, thus undermining their security and putting them at risk of attacks.
"It turns out that these 'randomly' chosen numbers aren't always as random as you'd like when it comes to IoT devices," Bishop Fox researchers Dan Petro and Allan Cecil said in an analysis published last week.
Random number generation is a crucial process that undergirds several cryptographic applications, including key generation, nonces, and salting.
On traditional operating systems, it's derived from a cryptographically secure pseudorandom number generator that uses entropy obtained from a high-quality seed source.
When it comes to IoT devices, this is supplied from a system-on-a-chip that houses a dedicated hardware RNG peripheral called a true random number generator that's used to capture randomness from physical processes or phenomen?.
"They're only capable of producing so many random bits per second. If you try calling the RNG HAL function when it doesn't have any random numbers to give you, it will fail and return an error code. Thus, if the device tries to get too many random numbers too quickly, the calls will begin to fail."