Forget wireless... your PCs are less safe now

DMS General
#1

This one is even worse than the wireless issue. This came across an alias at work

“A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion.”

This flaw affects TPM chips used in laptops as well, requiring firmware updates. . Apparently you’d need to suspend BitLocker, apply the OS update, firmware update, clear TPM, re-enable BitLocker in order to fix the vuln.

Affected Lenovos: https://support.lenovo.com/us/en/product_security/len-15552
Surface Pro 4 is also affected.
Guidance from MSFT: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012

3 Likes
SAE J3061 :blankspace:
#2

“Infineon-developed RSA Library version v1.02.013”

This is what people deserve who use proprietary software and accept the phrase “trust me”

Of note, this flaw only applies to the poor implementation by this commercial entity, not the underlying algorithym used.

1 Like
#3

This reminds me of one of my first jobs (gubmint of AZ) where our super secret squirrel user IDs were based directly and solely on employees social security numbers (it was a simple base 36 conversion). I recognized what was happening instantly (long story…) and indicated publicly the issues I had with that. Of course, I was the one that got in trouble ("what, you mean my crappy 30K/year gubmint job is at risk…say it isn’t so!) rather than the programmer/team that came up with it and put everyone’s personal info at risk.

3 Likes
#4

And that’s the bright spot in all this, same as KRACK. The underlying crypto is still valid, it’s just shoddy workmanship on top of it. Makes addressing it painful but possible.

1 Like
#5

bahaha… never once trusted “trusting computing” I even find UEFI suspicious.

Good thing no one ever really uses Infineon SmartCards. Oh wait… does this mean that our credit cards are exploitable?! A quick product search show YES.

1 Like
#6

To be absolutely safe, don’t trust anybody.

2 Likes
#7

unless they signed ones gpg key in person with state sponsored photo identity paperwork and applied $45 background check.

Or they have passed SCI Access level security clearance.