Algebraic Eraser, the algorithm running the 'Internet of Things' is broken...again
OK, who broke the IoT?
Everything from baby monitors to smart TVs and vehicles has been found to rely on security measures that have been found to be wholly inadequate, and now a team of mathematicians has demonstrated how to break a key used as part of the encryption system that secures many of the most critical IoT technologies internationally.
The Algebraic Eraser, owned by the Connecticut-based company SecureRF, is a widely used encryption solution for IoT devices that have minimal computing capacity. This includes RFID tags, mobile payment devices, and micro controllers.
The system is also a fundamental component of ISO/IEC AWI 29167-20, a specification proposed by the International Organisation for Standardisation to secure air interface communications devices like wireless sensors and embedded systems.
The research team, consisting of Simon Blackburn, a mathematics professor at Royal Holloway College, University of London together with Bar-Ilan University mathematicians Adi Ben-Zvi and Boaz Tsaban published research showing how they were able to break the security key provided to them by SecureRF, owner of the Algebraic Eraser trademark.
Their process is described in their paper, “A Practical Cryptanalysis of the Algebraic.” The team's method builds on the approach used by another group of researchers, Arkadius Kalka, Mina Teicher, and Boaz Tsaban (Tsaban was involved in both research groups, in a paper that was published in 2008 and revised in 2012).
When the earlier researchers published their results, SecureRF countered that the algorithm parameters chosen by the researchers were weak, Blackburn told SCMagazine.com. The company then created a workaround and announced that the problem was resolved.
Blackburn and his team, however, were not so sure. So they set out to break the key again, this time using parameters provided by SecureRF. Blackburn told SC that he asked SecureRF for parameters being used in practice.
The research group broke the key again, this time in less than eight hours.