October 26, 2017 | By Chris M. Roberts
State-of-the-art smartcards have been used by banks, large corporations, and governments to provide cryptographic protections of their data and user authentication. A newly released vulnerability has been demonstrated to allow hackers to bypass data encryption and even two-factor authentication. Using only a public portion of an encryption key, attackers can calculate the private encryption key of the user. Once the private key is determined, hackers can impersonate individuals, decrypt data, and inject malware into signed software. The flaw was discovered in code that has been in use since 2012 and is widely used by internationally trusted manufacturers.
IISP Analyst Chris M. Roberts: "This is yet another excellent reminder that no system or scheme should be considered fool proof. Despite these smartcards using large encryption keys (512-bit and 1024-bit), they were still able to be compromised. This vulnerability is not in the encryption but rather in the implementation of the encryption. Implementation of vetted standards, both protocol level and security related are often the weakest points in communications schemes. For example, the latest major vulnerability against Bluetooth, BlueBorne, exploited vulnerabilities in the protocol implementation that occurs unencrypted.
"It’s unclear how wide the surface area of this vulnerability is. Estimates range from millions of cards being issued hundreds of millions. Luckily, a solution to patch this vulnerability is in the works. Hopefully, embedded systems developers will begin to understand why they need to have their systems red-teamed for these types of vulnerabilities. In this case the patch may be able to be rolled out without relying on the user to install it but in many embedded systems, that is not the case. The back and forth between security researchers and hackers is as strong as ever and won’t be ending any time soon."
For further reading:
- Ars Technica: https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/