Almost 250,000 RSA keys were found to be broken as part of an investigation into a certificate vulnerability that could compromise internet of things (IoT) devices such as connected cars and medical implants.

Based on an analysis of approximately 175 million certificates, researchers at Keyfactor discovered that those sharing one of their prime factors with another could easily be compromised. When an IoT device attempted to connect to the internet, for example, a technique making use of the vulnerability could impersonate a server by re-deriving the key for an SSL/TLS server certificate.

Details about how the RSA keys were broken were initially released at the first IEEE Conference on Trust, Privacy and Security in Intelligent Systems and Applications.

How Certificate Security Can Suffer

An active public key is based on two large primes that are randomly chosen, but the research showed how often they share factors by using an algorithm that mined them for commonalities.

The results of the research, which builds upon similar investigations dating back to 2012, showed that one out of 172 certificates, or approximately 435,000, were weak. This could be due to a flaw in the random number generation that occurs when primes are chosen, according to the report.

If that happens, attackers who understand a computation known as the Greatest Common Devisor (GCD) could perform simple calculations to break the keys. This, in turn, could lead to data theft or devices malfunctioning since a device user wouldn’t be able to distinguish an attacker from someone with a legitimate certificate, the researchers added.

The dataset for the project was built by using proprietary tools designed to discover active RSA keys and millions of other samples gathered through certificate transparency logs.

Consider the Full Potential of Cryptography

Besides ensuring random number generation tools work properly, the researchers emphasized keeping IoT devices updated and securely installing firmware from the very beginning.

Security experts have also pointed out that the best cryptography goes beyond encryption, keys and certificates to look holistically at security. The goal should be to support not only confidentiality and privacy, for instance, but data integrity and non-repudiation. Cryptography services can help organizations meet those kinds of goals by delivering the right training and effective governance.

More from

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…