Forget wireless... your PCs are less safe now

This one is even worse than the wireless issue. This came across an alias at work

“A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion.”

This flaw affects TPM chips used in laptops as well, requiring firmware updates. . Apparently you’d need to suspend BitLocker, apply the OS update, firmware update, clear TPM, re-enable BitLocker in order to fix the vuln.

Affected Lenovos: https://support.lenovo.com/us/en/product_security/len-15552
Surface Pro 4 is also affected.
Guidance from MSFT: Security Update Guide - Microsoft Security Response Center

3 Likes

“Infineon-developed RSA Library version v1.02.013”

This is what people deserve who use proprietary software and accept the phrase “trust me”

Of note, this flaw only applies to the poor implementation by this commercial entity, not the underlying algorithym used.

1 Like

This reminds me of one of my first jobs (gubmint of AZ) where our super secret squirrel user IDs were based directly and solely on employees social security numbers (it was a simple base 36 conversion). I recognized what was happening instantly (long story…) and indicated publicly the issues I had with that. Of course, I was the one that got in trouble ("what, you mean my crappy 30K/year gubmint job is at risk…say it isn’t so!) rather than the programmer/team that came up with it and put everyone’s personal info at risk.

3 Likes

And that’s the bright spot in all this, same as KRACK. The underlying crypto is still valid, it’s just shoddy workmanship on top of it. Makes addressing it painful but possible.

1 Like

bahaha… never once trusted “trusting computing” I even find UEFI suspicious.

Good thing no one ever really uses Infineon SmartCards. Oh wait… does this mean that our credit cards are exploitable?! A quick product search show YES.

1 Like

To be absolutely safe, don’t trust anybody.

2 Likes

unless they signed ones gpg key in person with state sponsored photo identity paperwork and applied $45 background check.

Or they have passed SCI Access level security clearance.