#Privacy: Security of RSA certifications comes under scrutiny

Researchers at cyber security firm Keyfactor have found encrypted weaknesses within RSA certification, leaving Internet of Things (IoT) devices vulnerable to attack. 

RSA algorithm has become one of the most popular encryption techniques to secure data transmission. 

“The security of RSA relies on the inability of another party to determine two randomly-chosen prime numbers from which the RSA public key is derived. If these prime factors are discovered, the RSA private key can be re-derived, and an attacker can impersonate the remote source or decrypt stored communications that rely on the confidentiality of the private key,” said JD Kilgallin, senior integration engineer and researcher at Keyfactor. 

In its “Factoring RSA Keys in the IoT Era”, researchers collected and analysed 75 million RSA certificates and discovered that 1 in 172 certificates have keys that share a factor with another, equating to over 435,000 certificates. 

The majority of the weak certificates belonged to routers, firewalls and other network devices. In addition, it was found that medical implants and connected cars were also impacted. 

“In a real-world attack scenario, a threat actor with a re-derived private key for an SSL/TLS server certificate could impersonate that server when devices attempt to connect,” said Kilgallin.

“The connecting user or device or cannot distinguish the attacker from the legitimate certificate holder, opening the door to critical device malfunction or exposure of sensitive data.”

According to researchers, the main cause of weaker certificates is due to poor entropy. Many embedded gear often user low-power hardware, thus devices are not able to generate random numbers in an efficient way.

“These concerning findings highlight the need for device manufacturers, website and network administrators, and the public at large to consider security, and especially secure random number generation, as a paramount requirement of any connected system,” said the researchers in a blog post.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.