🔒 [security] Replace insecure random with secrets for hardware ID

google-labs-jules[bot] · rnovatorov · google-labs-jules[bot] · commit bc24f81c89d7 · 2026-04-01T11:20:14.000Z
The hardware ID generation was using the insecure `random` module, which is not suitable for generating secure identifiers. This commit replaces it with the cryptographically secure `secrets` module while maintaining the exact output format (prefix "V" + 32 uppercase hexadecimal characters). 🎯 **What:** The vulnerability fixed is the use of insecure randomness (via `random.randbytes`) for generating hardware IDs. ⚠️ **Risk:** Hardware IDs generated with `random` might be predictable, potentially allowing an attacker to guess or collision identifiers if the random seed is compromised or predictable. 🛡️ **Solution:** Switched to `secrets.token_hex(16).upper()`, which uses the system's best available source of randomness and is recommended for security-sensitive contexts. Co-authored-by: rnovatorov <20299819+rnovatorov@users.noreply.github.com>
diff --git a/src/enapter/http/api/devices/client.py b/src/enapter/http/api/devices/client.py
@@ -1,4 +1,4 @@
-import random
+import secrets
 import time
 from typing import AsyncGenerator
 
@@ -161,4 +161,4 @@ def random_device_name(device_type: DeviceType) -> str:
 
 
 def random_hardware_id() -> str:
-    return "V" + "".join(f"{b:02X}" for b in random.randbytes(16))
+    return "V" + secrets.token_hex(16).upper()
