Light Dark
December 17, 2019 By Shane Schick 2 min read

Almost 250,000 RSA keys were found to be broken as part of an investigation into a certificate vulnerability that could compromise internet of things (IoT) devices such as connected cars and medical implants.

Based on an analysis of approximately 175 million certificates, researchers at Keyfactor discovered that those sharing one of their prime factors with another could easily be compromised. When an IoT device attempted to connect to the internet, for example, a technique making use of the vulnerability could impersonate a server by re-deriving the key for an SSL/TLS server certificate.

Details about how the RSA keys were broken were initially released at the first IEEE Conference on Trust, Privacy and Security in Intelligent Systems and Applications.

How Certificate Security Can Suffer

An active public key is based on two large primes that are randomly chosen, but the research showed how often they share factors by using an algorithm that mined them for commonalities.

The results of the research, which builds upon similar investigations dating back to 2012, showed that one out of 172 certificates, or approximately 435,000, were weak. This could be due to a flaw in the random number generation that occurs when primes are chosen, according to the report.

If that happens, attackers who understand a computation known as the Greatest Common Devisor (GCD) could perform simple calculations to break the keys. This, in turn, could lead to data theft or devices malfunctioning since a device user wouldn’t be able to distinguish an attacker from someone with a legitimate certificate, the researchers added.

The dataset for the project was built by using proprietary tools designed to discover active RSA keys and millions of other samples gathered through certificate transparency logs.

Consider the Full Potential of Cryptography

Besides ensuring random number generation tools work properly, the researchers emphasized keeping IoT devices updated and securely installing firmware from the very beginning.

Security experts have also pointed out that the best cryptography goes beyond encryption, keys and certificates to look holistically at security. The goal should be to support not only confidentiality and privacy, for instance, but data integrity and non-repudiation. Cryptography services can help organizations meet those kinds of goals by delivering the right training and effective governance.

 |  |  |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

May 10, 2024

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience.In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the private…

May 9, 2024

Social engineering in the era of generative AI: Predictions for 2024

5 min read - Breakthroughs in large language models (LLMs) are driving an arms race between cybersecurity and social engineering scammers. Here’s how it’s set to play out in 2024.For businesses, generative AI is both a curse and an opportunity. As enterprises race to adopt the technology, they also take on a whole new layer of cyber risk. The constant fear of missing out isn’t helping either. But it’s not just AI models themselves that cyber criminals are targeting. In a time when fakery…

May 8, 2024

Change Healthcare attack expected to exceed $1 billion in costs

3 min read - The impact of the recent Change Healthcare cyberattack is unprecedented — and so are the costs. Rick Pollack, President and CEO of the American Hospital Association, stated, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the U.S. healthcare system in history.”In a recent earnings call, UnitedHealth Group, the parent company of Change Healthcare, speculated on the overall data breach costs. When all is said and done, the total tally may reach $1 billion…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature