Each individual device must have unique cryptographic keys and certificates.
CWE-326: Inadequate Encryption Strength: The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CWE-330: Use of Insufficiently Random Values: The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.2): Verify that cryptographic keys and certificates are unique to each individual device.
OWASP-ASVS v4.0.1 V2.9 Cryptographic Software and Devices Verifier Requirements.(2.9.2): Verify that the challenge nonce is at least 64 bits in length, and statistically unique or unique over the lifetime of the cryptographic device.
OWASP-ASVS v4.0.1 V6.2 Algorithms.(6.2.6): Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used.