Random number generation is critical to cryptography — it's what makes keys hard to guess. The more predictable a random number, the less secure the cryptography. According to new research, a massive chunk of the internet-connected things industry is relying on some very predictable numbers.
In a DEF CON talk officially released on Saturday (many of this year's talks were pre-recorded and available to stream before their scheduled time) Dan Petro and Allan Cecil, both of Bishop Fox, outline systemic problems with hardware random number generators. That creates systemic problems for the devices that obtain random numbers directly from hardware random number generators.
"One of our top-line takeaways is that this process of talking to hardware RNG [random number generators] directly is just untenable. It's far too complicated on so many levels, to the point where it should really be considered like writing cryptographic code, where it is just too unsafe to do on your own," Petro told SC Media.
Internet of things devices involve multiple vendors — the company that makes a toaster almost definitely did not design the microprocessors used in the toaster. If the toaster is designed with an operating system, the toaster-maker almost definitely did not design the operating system. So a company making an IoT device may have no reason to assume that the chip producing random numbers is falling short.
But several are. Some chips do not seed pseudo-random numbers from a unique starting point, meaning the numbers aren't random at all. With other chips, several numbers appear to occur more often others. A line graph of a large enough quantity of randomly generated numbers should approximate a straight line, with every number coming up about as often as any other. Graphing the results of a MediaTek chip they investigated produced a sawtooth pattern.
Chips can only produce random numbers at a limited rate. Request too many in succession, and they will spit out an error message and record the random number as zero. If a developer catches the error message, they can ignore getting piles and piles of zeros. But, said Petro and Cecil, no one checks, because everyone assumes the RNG just works.
"One was hilarious. In their 1,000-plus page documentation. on page 1,116, or so, there is a specific paragraph that tells you every time you call the RNG, you have to call it 32 times and throw away all those results before calling it again," said Cecil.
"It's so weird that even if you saw the code implemented correctly, you might think it was a mistake and fix it," said Petro.
The problem only exists in IoT devices not using an operating system (though they found some operating systems that were also not using cryptographically secure random number generation). Operating systems can add additional sources of entropy to random numbers. The hardware RNG problem exists in devices that grab numbers from the chip directly.
The fix is simple, said Petro and Cecil: Use an operating system.
That solution creates a maddening conundrum in IoT. The problem could be fixed with a software update. But IoT devices are notoriously difficult to update, when not outright impossible to update.
This is an industry-wide problem, the researchers caution.
"The problem isn't that there's somebody that wrote a buggy piece of software or that some individual manufacturer had a bug in their code. It's that fundamentally the industry is doing random number generation wrong. This is us standing up in front of the industry — the IoT industry — saying that. You're doing it wrong," said Petro.