An elevation of privilege vulnerability exists in the way Azure IoT Java SDK generates symmetric keys for encryption, allowing an attacker to predict the randomness of the key. An attacker could derive the keys from the way they are generated and use them to access a userβs IoT hub.
This update addresses the vulnerability by randomizing the key generation within Azure IoT SDK.