Researchers Exploit Low Entropy of IoT Devices to Break RSA Certificates

Many Internet of Things (IoT) devices rely on RSA keys and certificates to encrypt data before sending it to other devices, but these security tools can be easily compromised, new research shows.

Researchers from digital identity management company Keyfactor were able to compromise 249,553 distinct keys corresponding to 435,694 RSA certificates using a single virtual machine from Microsoft Azure. They described their work in a paper presented at the IEEE Conference on Trust, Privacy, and Security in Intelligent Systems and Applications in December.

“With under $3,000 of compute time in Azure, we were able to break 435,000 certificates,” says JD Kilgallin, Keyfactor’s senior integration engineer and researcher. “We showed that this attack is very easy to execute now.”