Poor Implementation of RSA Encryption Allows Attacks on Medical Devices and Implants

Encryption makes data unavailable to unauthorized people, as long as strong encryption is utilized and the private key to decrypt information isn’t compromised.

Not all encryption algorithms give a similar protection level. The effectiveness of encryption depends on the length of the key. Longer keys give more computational power necessary to crack the encryption. If using strong encryption, the computing power and time period needed to crack the encryption makes the data practically inaccessible.

DES was at one time regarded as a strong type of encryption, however, its computing power now makes possible breaking the encryption even on comparatively cheap computers. DES with 56-bit keys was okay in the 1970s, but its keys length is not long enough now. Today, strong encryption needs 256-bit keys, like those in the AES algorithm. With AES-256, sensitive information could be sufficiently secured at this time. As long as the key is not compromised, the encrypted information is not accessible.

RSA is a substitute encryption standard often used to secure sensitive information. It utilizes an asymmetric cryptographic algorithm with two keys, including a public key and a private key. The public key may be provided to any person since it cannot decrypt data on its own. The private key is likewise necessary.

The keys are created by multiplying two arbitrary prime numbers. Because RSA keys are long and with greater computing power, they cannot be guessed easily or brute-forced. Nevertheless, errors in implementing RSA encryption could result in easy cracking of the keys.

One difficulty that could come up is when not using genuine random prime numbers in encrypted RSA keys. Flaws in randomness makes the encryption weak. Keyfactor analyzed RSA certificates and found that in a lot of IoT devices, the factors employed to create the keys aren’t completely random so that it is easier to derive the private key.

In such instances, a substantial amount of computing power is still necessary, but not adequate to make breaking the encryption entirely hard. Keyfactor stated that about $3,000 of compute time on one Azure virtual machine is enough to break weak keys. At such a low price, threat actors would seriously consider the investment.

The researchers accumulated 175 million RSA certificates online using a scalable GCD algorithm on the Azure virtual machine. 75 million of the keys were employed to encrypt traffic and 100 million keys were available to the public. Keyfactor’s research found 435,000 RSA certificates which shared a similar factor. That translates to about 1 in 172 RSA certificates. Keyfactor could crack all 435,000 certificates for under $3,000 in Azure compute time.

Shared factors are largely employed in lightweight IoT devices because they have no adequate entropy to produce really random numbers. Hence, the random numbers are predictable. Just find the two prime numbers utilized to produce the key and it’s easy to derive the private key.

Lightweight IoT devices are notably susceptible to low entropy states because of lacking input data and having a problem of integrating hardware-based random number creation economically. Keys created by lightweight IoT devices are liable to not being random enough and there are more chances for two keys to have the same factor and allowing the key to be cracked.

There was an 8,192-bit RSA key, which was very large. It should have been impossible to guess the key, but they did. There was no problem with the length of the key, but the factor employed was not totally random.

A threat actor who possesses the derived private key could not be identified by the real private key holder, which allows man-in-the-middle attacks, data tampering, and theft.

This has big effects on a variety of industries that utilize a lot of IoT devices like healthcare. In healthcare, a lot of medical equipment and implants possess low entropy, and so the encryption can be unlocked and data acquired for a fairly low investment.

Keyfactor’s findings are scary. The research identified excessive rates of compromise affecting IoT devices with design and entropy limitations. Cars, medical implants and some other devices could be compromised and cause life-impacting damage.

Making active IoT devices safer is a big challenge. Not patching impacted IoT devices and lacking enough processing power will make them unsafe. The solution is to create adequate entropy into the devices to make sure using truly random factors to create strong RSA keys.

About Christine Garcia 1191 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA