Entropy Omission Leaves IoT Customers Vulnerable

Secure Channels Solution Delivers Security and Flexibility Essential to IoT


A recent report by cybersecurity firm Keyfactor revealed a significant weakness prevalent among IoT devices.  The group found that RSA cryptosystem keys protecting connected devices are generated with a staggering lack of entropy — the randomness that reduces an adversary’s ability to break the encryption.  Inherent design constraints in IoT technology hamper the effectiveness of classical cryptosystems like RSA.  Secure Channels Inc. has prepared a lightweight, stronger cryptosystem IoT manufacturers can better integrate into their products without sacrificing performance: XOTIC Core.

Keyfactor used modest resources to analyze 75 million RSA certificates acquired from the open Internet.  The group found a worrying level of repetition that could facilitate an adversary’s attack on targeted IoT devices.  The report is even more troubling considering the projected growth of IoT from the 23 billion connected devices deployed in 2018 to a forecast 76 billion by 2025.  Convenience, efficiency and misplaced trust in the devices have propelled their deployment to environments with higher stakes, despite the technology’s feeble security.  As noted by Keyfactor’s JD Kilgallin, “These devices are also now seen in increasingly sensitive settings, such as in operating rooms and automobiles. Consumers are also transmitting increasingly sensitive information over the Internet, including financial and personal-health data.”

At the heart of IoT devices’ security weaknesses is their embedded cipher’s inability to leverage the entropy that prevents adversaries from correctly guessing the encryption keys.  Much of the deficiency stems from the IoT device architecture, which has been optimized for performance, cost and battery life.  These considerations, while providing end users with responsive, energy-efficient devices, impose space and resource restrictions that hamstring manufacturers’ efforts to integrate strong onboard encryption.  To harness adequate entropy, classical cryptosystems like RSA would require an external random number source that most devices cannot support.

Keyfactor’s latest report may shock IoT end users, though cybersecurity vulnerabilities present in the devices and the RSA cryptosystem have been repeatedly demonstrated.  RSA’s imminent failure against quantum computing was determined a quarter century ago, and recent successes cracking its encryption using classical computers suggest that RSA’s serviceability may end sooner than expected.  On the hardware side, compromised IoT devices have been pressed into service of botnet armies to wage DDoS attacks against businesses.  In separate 2016 attacks, consumer devices like webcams and routers were commandeered to flood European web host OVH, DNS provider Dyn and cybersecurity blog site Krebs with traffic, crippling their online presences.  Research and advisory firm Gartner estimated that by 2020 IoT compromises will account for more than 25 percent of cyberattacks as poor device security provides adversaries untold new weapons.

Connected devices tend to share a “trusted status” on networks, potentially extending the reach and influence of an adversary that successfully compromises a single encryption key.  An exploited IoT device could allow the exfiltration of sensitive personal data, manipulation of machinery or access to home monitoring systems.  Addressing the gap in IoT cybersecurity, Secure Channels’ has engineered the XOTIC Core cryptosystem to deliver sound encryption by overcoming device constraints hindering entropy inclusion.

XOTIC Core does not rely on RSA’s prime factoring or discrete logarithms that are rapidly losing their protective edge to evolving threats.  XOTIC Core’s unconditional security rests behind its one-time pad element grounded in a longstanding mathematical proof.  The one-time pad receives absolute entropy from its quantum random number generator to forge unbreakable encryption that reduces any attack against it to futile guesswork.  XOTIC Core’s key lengths start at a post-quantum 512 bits and can be scaled beyond 8,000 without adding perceptible latency.  The cryptosystem can also be deployed with Secure Channels’ patented Wave Form Encryption, which continuously adjusts the key lengths for additional protection.

XOTIC Core’s potency is paradoxical to its surprisingly light code.  The cryptosystem’s 60KB of code easily integrate into virtually any technology environment, no matter how space- or resource-constrained.  It encrypts at speeds that best other popular stream and block ciphers, preserving device responsiveness and synchronization.  It efficiently encrypts every packet of data, every frame of video for complete end-to-end security.  XOTIC Core’s strength and “digital litheness” present manufacturers new market advantages in their drive to provide end users with high-performance, cryptographically-secure IoT devices.

“When new digital technologies hit the market, security is almost invariably an afterthought,” explained Secure Channels CEO Richard Blech, “and for this reason, they are promptly targeted by hackers.  The IoT market, however, is surprisingly vulnerable in relation to the risks.  We’re past the point where a hacker’s influence is limited to remotely turning off lights or switching TV channels.  Security oversights like absent entropy could now grant hackers control of a moving vehicle or implanted medical device.  The stakes have increased sharply so consumers are looking toward manufacturers to deliver devices that are strongly protected.  XOTIC Core will let manufacturers meet that demand.”