A major security flaw has been found in RSA encryption keys used across the internet. Researchers discovered that about one in 172 online certificates are at risk due to a mathematical weakness.
The issue mainly affects Internet of Things (IoT) devices but could impact any system using improperly generated RSA keys, arising from poor random number generation during key creation, particularly in devices with limited entropy sources.
If RSA keys lack enough randomness, they could share prime factors with other keys, making them easy to break using a factorization attack.
Factorization Attacks
This type of attack takes advantage of a key RSA property: if two keys share a prime factor, both can be broken by computing the Greatest Common Divisor (GCD). While standard RSA key cracking is difficult, finding a shared factor is much easier, allowing full recovery of private keys.
According to the International Institute of Informatics and Systemics (IIIS), factoring attacks are based on the fact that the private key d can be computed if p and q can be discovered by factoring n. “Given n and e (which is already known) d can be computed by solving the equation de≡mod φ (n) where the totient is φ (n) = (p-1) (q-1).”
Keyfactor Security researchers analyzed more than 75 million RSA certificates and found a whopping 435,000 compromised by the simple mathematical technique.
Researchers used the GNU MultiPrecision (GMP) library to efficiently compute GCDs on a cloud-based virtual machine. Instead of checking each pair, they used a faster product tree and remainder tree approach.
IoT Most at Risk
They said IoT devices were most at risk, with about half (50%) of compromised certificates linked to a major network equipment manufacturer. Many vulnerable devices remained unpatched despite previous warnings—highlighting the difficulty of securing IoT systems.
IoT devices are being used more and more in critical places like hospitals, vehicles, and industrial systems, so the researchers urged manufacturers to improve entropy sources and follow cryptographic best practices to prevent vulnerabilities of this nature.
Continuous Evaluation Needed
“This discovery highlights the need for continuous evaluation and improvement of our security infrastructure, particularly as IoT devices are increasingly ubiquitous,” says Javvad Malik, Lead Security Awareness Advocate at KnowBe4.
Malik adds that a multi-faceted approach is crucial, and that entities need to evaluate their exposure and prior and that entities need to evaluate their exposure and prioritize mitigation efforts. “This should be coupled with implementing more rigorous standards for cryptographic implementations, especially in IoT devices. Fostering increased cooperation between manufacturers, developers, and security professionals is crucial to address systemic vulnerabilities effectively.”
Regulatory considerations should not be overlooked, and exploring the potential for updated guidelines or regulations to ensure minimum security standards across the industry could provide a necessary framework for improvement, he adds. “Cybersecurity is an ongoing process, not a one-time implementation, and something that needs the cooperation of a broad set of stakeholders to cultivate a security-focussed culture throughout the whole ecosystem.”
“Deepy Disturbing News”
“This is deeply disturbing news,” says Jamie Akhtar, CEO and Co-founder at CyberSmart. “RSA keys are vital for the most commonly used forms of encryption to work properly. Badly generated RSA keys effectively mean that cybercriminals can crack encryption using a technique known as factorization.”
Akhtar says the security of RSA relies on the difficulty of factoring large numbers, specifically the product of two large prime numbers. However, if two different RSA keys share a prime factor, both can be broken, pretty easily. “In other words, any system using these faulty RSA keys is open to a breach. And, if early estimates are accurate, this could affect millions of devices and systems, with IoT devices particularly vulnerable. This is very worrying as IoT devices can be found in sensitive places like hospitals, industrial control systems and vehicles. It’s something manufacturers need to lock down quickly.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.