Skip to main content

+1 866 653-6233 LinkedIn Software Expert Witness Directory

About Us Contact Us

Barr Group Software Experts

Barr Group Software Experts

Main navigation

  • Expert Services
    • Consulting Experts in Software and Electronics
    • Expert Reports by Testifying Software Experts
    • Reverse Engineering and Forensic Analysis
    • Software Source Code Review and Analysis
  • Areas of Expertise
    • Left Side
      • Artificial Intelligence
      • Automotive Systems
      • Cloud Computing
      • Computer Security
      • Consumer Electronics
      • Electronic Circuits
      • Enterprise Software
      • Financial Technology
      • Firmware and IoT
    • Right Side
      • Industrial Controls
      • Mechanical Design
      • Medical Devices
      • Military & Aerospace
      • Mobile Devices & Apps
      • Optical Equipment
      • Renewable Energy
      • Signal Processing
      • Telecommunications
  • Matters & Venues
    • Patent Infringement and Invalidity Experts
    • Software Copyright and Trade Secrets Experts
    • Product Liability and Failure Analysis Experts
    • Contract Disputes and Software Project Failures
    • Venues and Clients
  • Directory
  • Case Studies
    • DirecTV Anti-Piracy
    • Samsung Software Copyright
    • Toyota Runaway Cars
  • Resources
    • Expert Witness Blog
    • Source Code Review in Litigation
    • Software Source Code Discovery

Arizona Lottery's Not-So-Random Number Generator

  1. Home
  2. How-to Articles
  3. Arizona Lottery's Not-So-Random Number Generator
Posted October 12, 2017

colorful lottery balls

Random numbers -- really, truly random numbers -- play a very important role in security. Everything from key generation, nonces, shuffling, secure protocols, and many forms of challenge-response rely on unpredictable numbers.

There are many ways that things go wrong. Firmware engineers will often use the rand() function from the C standard library (often without seeding), either because they don't know any better, or because they feel they don't have a good alternative (no excuse!) Or they'll obtain a "good" random number, but then introduce a bias when converting that larger random number into a smaller range.

There are myriad ways things can go wrong. That's one of the reasons we devote an entire section to the topic in Barr Group's Embedded Security Boot Camp. One of the things I discuss in the course is how things can go wrong with "random" numbers. One of the examples is the 2013 Arizona Lottery; a "glitch" prevented the digits 8 and 9 from being drawn in certain positions.

Well, guess what? It's now 2017, and the Arizona Lottery is back, in an attempt to out-do itself, apparently now "technical difficulties" with the lottery's random number generator have resulted in the same winning numbers being generated repeatedly. Ooops. Quoting the article: "the machine generated the same winning numbers in multiple drawings for three different games."

At least this problem made itself very obvious. Often the failures and problems with random number generators in security systems are subtler and go undetected for longer periods of time.

Does your embedded product use random numbers as part of its security framework? If so, where do they come from? Is there a bias, even a slight one? (Are you sure?) If you suspect a bias, how are you removing it? Would your firmware detect a scenario where there is a failure in your random number generator?

Security is hard. Random numbers are one of the easier things to get right, but I've encountered a multitude of different problems while performing security audits / firmware reviews. And I don't have space here to get into the nuances of hardware-generated random numbers vs. cryptographically secure random number generators, whitening and entropy extraction, etc.

  • Back to Main
  • Share
  • Facebook
  • Twitter
  • LinkedIn

Request an Expert

(866) 653-6233

Blog Categories

assembly
C
coding standards
communications
debugging
electronics
Java
real-time
RTOS
safety
security
tools
user interfaces
Barr Group logo
Call us

Expert Services

  • Source Code Review Services
  • Expert Witness Directory
  • Reverse Engineering Services
  • Expert Reports & Testimony
  • How-To Technical Articles
  • Engineering Services

Latest Insights

  • Payment Processing and e-Payments Fraud
  • Albert Einstein Expert Witness
  • Medical Device Litigation and FDA 510(k)
  • Personality Traits of the Best Expert Witnesses

Website contents copyright © 2012-2025 by Barr Group. | Barr Group's logo is a U.S.-registered ® trademark.

SITEMAP  |  PRIVACY