This week in cybersecurity seems to only have one direction – down. After researchers found a massive flaw in the WPA2 WiFi protocol that made every WiFi connection susceptible to eavesdropping, another group of researchers discovered a new vulnerability undermining RSA encryption.
Researchers from the Centre for Research on Cryptography and Security at Masaryk University in the Czech Republic, along with Enigma Bridge Ltd, from the UK, and Ca’ Foscari University in Italy, revealed they discovered a flaw in cryptographic smartcards, security tokens, chipsets, and secure hardware created by Infineon Technologies, a German semiconductor firm.
Dubbed the ROCA vulnerability, it allows for a practical factorization attack. This means the attacker computes the private part of an RSA key. It does not matter if the key is 1024 or 2048 bit long, and the bug has been around since at least 2012, which means the chips are commonplace by now.
The RSA keys generated by the flawed products are, in fact, not randomized as they should be. This means they’re weak and crackable and any data encrypted with them can be vulnerable if an attacker puts in the time and resources. For instance, the team estimates that a 512 bit RSA key could be cracked in 2 hours, a 1024 bit RSA key in 97 days and a 2048 bit RSA key in 140 years, with costs of $0.06, $40-$80 and $20,000 – $40,000 respectively. The tests were done on an Intel E5-2650 v3@3GHz Q2/2014.
“Only the knowledge of a public key is necessary and no physical access to the vulnerable device is required. The vulnerability does not depend on a weak or a faulty random number generator – all RSA keys generated by a vulnerable chip are impacted,” reads the paper.
Researchers note that the confirmed number of vulnerable keys found is about 760,000, but it’s possible that the real number could be up to two to three magnitudes larger.
The vulnerable keys were discovered in various domains, from electronic citizen documents, authentication tokens, TLS/HTTPS keys and PGP.
Software updates to mitigate the issue have been released already by the likes of Microsoft, Google, HP, Lenovo, and Fujitsu. The researchers also provided offline and online detection tools for users to check to see whether or not they are affected by this.