IoT Rng Fiasco
Last updated
Last updated
The article "You're Doing IoT RNG" by Bishop Fox explores the critical issues surrounding the use of random number generators (RNG) in the Internet of Things (IoT) devices. It highlights the common practice of IoT devices relying on hardware RNGs for generating random numbers essential for security functions like encryption keys. However, these RNGs often fail to deliver truly random numbers due to improper implementation and lack of error checking in their usage.
A significant point raised is that most IoT systems rely directly on hardware RNGs without intermediary layers, such as those provided by operating systems in more traditional computing environments. This direct reliance can lead to issues because hardware RNGs might fail due to reasons like low entropy or operational errors, and these failures often go unchecked by developers. The article discusses the non-standard handling of RNGs in IoT compared to more robust methodologies employed in server environments, where cryptographically secure pseudo-random number generators (CSPRNG) are used to ensure the randomness and security of numbers.
The solution proposed involves adopting CSPRNG subsystems within IoT operating systems, which can provide a reliable source of randomness without the quirks associated with direct hardware RNG access. This approach is slowly being adopted in emerging IoT operating systems, which could improve the security posture of IoT devices significantly.
The concept of a Decentralized Quantum Random Number (QRN) API, like the one offered by Sp8de, could potentially address many of the issues highlighted in the discussion of IoT RNG weaknesses. By leveraging blockchain technology and decentralized mechanisms, such a system could provide a more reliable and secure source of randomness for IoT devices and other applications.