A critical flaw in random number generators puts the security of billions of low-cost IoT devices at risk. This means a new approach for generating random numbers is needed, which can be found in extracting entropy from SRAM behaviour. This only requires a software installation, meaning the security systems of billions of devices can be patched without the need to make hardware changes, even in devices that have already been deployed.
Every day brings news of attacks on devices connected to the Internet of Things (IoT). The number of connected devices in the IoT is rapidly increasing, and the number of attacks on these devices is growing at an even more explosive rate.
In the first half of 2021, the number of attacks on IoT devices has more than doubled to 1.5 billion attacks in just six months. Some are high-profile attacks, that gain a lot of media attention, like the Colonial Pipeline hack or new botnet attacks in the spirit of Mirai. But there have also been countless attacks on very personal devices such as baby monitors and even cardiac devices.
There are some typical areas of weakness in IoT devices that are exploited frequently. Examples like weak passwords, lack of regular patches and updates, insecure interfaces, and insufficient data protection are all too common when it comes to these attacks. However, researchers from Bishop Fox have recently identified a new critical vulnerability of IoT devices that might not be obvious to many of us. Their recent study shows that hardware random number generators (RNGs) used in billions of IoT devices fail to provide sufficient entropy.
The use of random number generators
Protecting IoT connected devices, their communications, and their data requires the implementation of cryptographic systems on these typically low-cost devices. An important building block for these systems is an RNG. Random numbers are important, because for most cryptographic protocols they provide the required unpredictability to fend off potential attackers. For example, encryption keys are created from random numbers to make it impossible for an attacker to guess these keys and break the encryption.
There are two main ways to create random numbers on a device. In the first approach, random numbers are generated by a truly random physical source on the device that provides enough randomness to serve all cryptographic protocols that need to run on a device.
However, a relatively large number of random bits are required for most typical security purposes, and there are very few sources that can meet this requirement.
The second way to generate random numbers is to combine a truly random source with a limited random-bit output with a cryptographically secure (deterministic) algorithm that can generate many random bits based on the limited amount of entropy of the physical source. Here, the physical source is used to provide a truly random seed, which is then used as input for a deterministic algorithm that generates many random bits.
The problem: predictable secrets
The study by Bishop Fox shows that there is a critical vulnerability in RNGs used in billions of IoT devices. In these devices the physical source fails to generate sufficient entropy, which leaves the deterministic algorithm with too little randomness to create a strong random output. This compromises the entire RNG solution and puts the devices at risk of attacks, as the random numbers employed become “guessable.” When random numbers become predictable, the foundation of many cryptographic algorithms is severely compromised. Secret keys will lose their strength, leading to broken encryption.
This needs a new way to solve this problem of insufficient entropy using the typically limited resources of IoT devices. And we need to find a way to implement this solution not only in new IoT devices, but in IoT devices already in the field.
The solution: SRAM as a NIST-certified source of sufficient entropy
The solution is to use SRAM as a NIST-certified source of sufficient entropy. It turns out that a component that is present on virtually any device, even the ones with limited resources, can be utilized as a physical source of randomness: the SRAM memory.
Whenever a chip is powered, its SRAM fills with a random pattern of 0s and 1s. This powerup pattern is unique for that specific chip and can be used as a device identifier, a known principle which is called a Physical Unclonable Function (PUF). However, every individual powerup of the same chip has a certain amount of noise – unstable bits – in this unique pattern. Research from Intrinsic ID has shown that by harvesting this noise in the powerup behavior it is possible to extract sufficient entropy to create a strong seed that can be used as the basis for an RNG solution. Given that SRAM is part of most chips, extracting entropy from something that is already available has great cost advantages, as no additional hardware is required.
Intrinsic ID has used this concept in Zign™ RNG, which has successfully completed the RNG certification process by an independent accredited laboratory according to the NIST SP 800-90 standard defined by the National Institute of Standards and Technology (NIST). The true random seed of Zign RNG is harvested from the noise in SRAM using a construction that follows the NIST SP 800-90B specification, while the deterministic algorithm for increasing the number of available random bits is implemented as specified in NIST SP 800-90A.
The result is a solution for generating random numbers that is both cryptographically secure as well as low-cost, which makes it perfectly suited for the rapidly growing IoT. And most importantly, Zign RNG is implemented completely in software, making it the only hardware entropy source that does not need to be loaded at silicon fabrication. Zign RNG software can be installed later in the supply chain, and even retrofitted on already-deployed devices. This enables a never-before-possible “brownfield” deployment of a cryptographically secure, NIST-certified RNG.