Each individual device must have unique cryptographic keys and certificates.
CWE-326: Inadequate Encryption Strength The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CWE-330: Use of Insufficiently Random Values The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.2) Verify that cryptographic keys and certificates are unique to each individual device.
OWASP-ASVS v4.0.1 V2.9 Cryptographic Software and Devices Verifier Requirements.(2.9.2) Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device.
OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.6) Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used.