Fundamental Flaw in Random Number Generator Affects IoT Devices

1255
Illustration: Greg Mably

A fairly critical issue has been disclosed in hardware random number generators used in many IoT devices, that makes them  vulnerable to attacks. 

Computers generate secrets through an RNG that forms the base for cryptography to perform security operations like access control, encryption and authentication. While traditional operating systems use cryptographically secure pseudorandom number generator, IoT devices use hardware RNG peripheral from a system-on-a-chip (SoC) called the true random number generator. It captures randomness from physical mechanism and forms strong walls to computer security. 

“It turns out that these ‘randomly’ chosen numbers aren’t always as random as you had like when it comes to IoT devices,” Bishop Fox researchers Dan Petro and Allan Cecil said in an analysis. “In fact, in many cases, devices are choosing encryption keys of 0 or worse. This can lead to a catastrophic collapse of security for any upstream use.”

The researchers point out that most new IoT SoCs have dedicated hardware RNG periphery designed to solve this specific problem, but it is not easy as it sounds. “How you use the peripheral is critically important, and the current state of the art in IoT can only be aptly described as “doing it wrong,” analysis added. 

Incorrectly calling the hardware RNG

IoT device calls to the dedicated hardware RNG through its operating system or device SDK. What the function call is named varies, but it takes place in the hardware abstraction layer (HAL). The manufacturer creates this API to easily interface with the hardware through C code. 

Stating that the peripheral is being current invoked wrongly, the researchers noted the lack of checks for error code responses, heading to a situation where the random number generated is not random, resulting in opening to attacks.

Researchers identify that HAL function errors from RNG failure will impact a device depending on the hardware either by partial entropy, the number O or uninitialised memory. 

“The HAL function to the RNG peripheral can fail for a variety of reasons, but by far the most common (and exploitable) is that the device has run out of entropy,” the researchers noted. “Hardware RNG peripherals pull entropy out of the universe through a variety of means (such as analog sensors or EMF readings) but don’t have it in infinite supply.

“They’re only capable of producing so many random bits per second. If you try calling the RNG HAL function when it doesn’t have any random numbers to give you, it will fail and return an error code. Thus, if the device tries to get too many random numbers too quickly, the calls will begin to fail.”

Meanwhile, though it is an exploitable large scale issue, the users cannot be blamed for. When such an error is identified, only two options could be followed – to abort the process or spin loop on the HAL function. Finding both the options less easier, the developers tend to ignore the error connection, the researchers opine. 

“Things aren’t much better even when developers have the benefit of time on their side. Some devices, like the STM32, have sizable documentation and even vendor-provided proof of randomness whitepapers, but these are an exception. Few devices have even a basic description of how the hardware RNG is supposed to work, and fewer still have any kind of documentation about basic things like expected operating speed, safe operating temperature ranges, and statistical evidence of randomness.”

The problem is unique to the IoT systems as they lack an operating system to handle this. The researchers highlight the benefits of a larger entropy pool associated with a CSPRNG subsystem to solve this.

One of the hard parts about this vulnerability is that it’s not a simple case of “you zigged where you should have zagged” that can be patched easily. In order to remediate this issue, a substantial and complex feature has to be engineered into the IoT device.