• IoT For All
  • Posts
  • The Bad Math Putting Millions of IoT Devices at Risk

The Bad Math Putting Millions of IoT Devices at Risk

Plus, this week's top stories from IoT For All

Author

IoT For All
March 20, 2025

In partnership with

Hello readers,

Welcome to the IoT For All newsletter! We’ll be talking about how IoT devices are failing at RSA encryption, how to improve IoT security, non-terrestrial LoRaWAN, supply chains, and more!

Bad Math

Verifying a device’s identity is absolutely essential to security on the internet. If bad actors can impersonate someone or something, they can snoop on communications, steal data, or disable entire systems. That’s why a recently discovered vulnerability in many RSA encryption keys, affecting IoT devices in particular, has huge cybersecurity implications for connected device ecosystems.

RSA encryption is a clever and sophisticated cybersecurity mechanism, but it boils down to a simple mathematical fact: it is very easy to multiply two large prime numbers together to create a third number, but it is very difficult to look at that third number on its own and figure out the two numbers it came from.

It’s a principle that has protected online communications for decades, but it has to be done right. Those prime numbers need to be big and they need to be random. And what security researchers at Keyfactor have discovered is that, for many IoT devices, this isn’t the case.

We collect and analyze 75 million RSA certificates from the Internet, and find that 1 in 172 keys share a factor with another. In contrast, only 5 of 100 million certificates found in a sample from Certificate Transparency logs are compromised by the same technique. The discrepancy in rates of compromise is overwhelmingly due to IoT devices exposed to the Internet, which may be subject to design constraints and limited entropy.

Keyfactor

While “1 in 172” might not sound alarming, the scale of the sample size puts it into perspective. In a test pool of 75 million certificates, that comes out to 435,000 at-risk devices, implying millions more as yet undiscovered in the wild.

For all their strengths, computers are not especially good at randomness. Since they can’t just pull a number out of the air, computers use naturally occurring entropy in their systems to pick a “seed” number and perform a bunch of math to it to make it effectively random. Barebones IoT devices are particularly prone to generating ‘random’ numbers that are too predictable, undermining encryption. As the study states:

Lightweight IoT devices are particularly prone to being in low entropy states due to the lack of input data they might receive, as well as the challenge of incorporating hardware-based random number generation economically. Keys generated by lightweight IoT devices are therefore at risk of not being sufficiently random.

Keyfactor

This vulnerability highlights a fundamental challenge in IoT security: balancing cost, efficiency, and strong cryptographic safeguards. Many IoT devices are designed for longevity but not for regular updates, making retroactive fixes difficult or impossible. That means addressing this issue isn’t just about patching existing systems—it’s about ensuring future devices are built with better entropy sources and more robust key generation processes from the start.

If IoT security doesn’t evolve to keep pace with threats, these devices could become weak links in critical systems. As encryption standards tighten and researchers uncover more vulnerabilities, manufacturers must take a proactive approach to device security—because when identity verification fails, everything else falls apart.

📖 Top Articles

When IoT security fails, it fails silently. And by the time anyone notices? The damage is already done. Data has been exfiltrated. Devices have been compromised. Regulatory fines are on the table. And the worst part? Most companies don’t even realize it’s happening until it’s too late.

Internet of things (IoT) is rapidly evolving with non-terrestrial (NTN) satellite technology quickly becoming a game changer because it can provide global connectivity solutions in areas that have previously been underserved, especially in remote locations. A recent LoRa Alliance® webinar brought together three pioneering companies: EchoStar Mobile, Lacuna Space and Plan-S, to delve into the current landscape and future opportunities for NTN LoRaWAN IoT services.

The supply chain is the backbone of global commerce, ensuring goods move efficiently from manufacturers to consumers; however, managing supply chains has traditionally been complex, with challenges such as tracking shipments, optimizing inventory, and reducing waste. Enter IoT in supply chain, a transformative technology that enables real-time monitoring, automation, and predictive analytics to improve logistics efficiency.

The gold standard of business news

Morning Brew is transforming the way working professionals consume business news.

They skip the jargon and lengthy stories, and instead serve up the news impacting your life and career with a hint of wit and humor. This way, you’ll actually enjoy reading the news—and the information sticks.

Best part? Morning Brew’s newsletter is completely free. Sign up in just 10 seconds and if you realize that you prefer long, dense, and boring business news—you can always go back to it.

🔥 Rapid Fire

🎙️ The IoT For All Podcast

No new podcast this week, but check out of last edition where we spoke with Martin Nord, Chief Technology and Product Officer at Com4, to discuss navigating modern IoT connectivity. The conversation covers key connectivity challenges across industries, the impact of iSIM and multi-IMSI, customer-centric IoT strategies, satellite IoT, the transformative potential of IoT and AI, low-power wide-area networks, and understanding total cost of ownership for successful IoT deployments.