This vulnerable library is used to ensure security of national ID maps in various countries and in most popular software products that are used by both government and businesses.
What's wrong with it?
The weakness in the factoring mechanism enables attackers to deduce the secret part of any vulnerable crypto key by only using a relevant open key. Having obtained the secret key, the attacker may impersonate the key owner, decypher sensitive data, upload a malicious code to the software signed with the key and breach security on stolen PCs.
This vulnerable encryption library is developed by the German manufacturer Infineon while the error has existed since 2012. This flaw is critical because the library is used by two international security standards, so it is used by many corporations and governments all over the world.
The researchers checked national ID cards of four countries and quickly found that cards of at least two countries—Estonia and Slovakia—were attempting to ensure security with vulnerable keys of 2,048 bytes. Estonian authorities confirmed the vulnerability, stating that they had issued about 750 thousand vulnerable cards since 2014. In 2015 one of Ars Technica journalists obtained a card of Estonia's digital resident — the experiment showed that the key used in that card was subject to factoring.
Besides, Microsoft, Google, and Infineon warned that weaknesses in the factoring mechanism may have a big impact on efficiency of embedded security mechanisms in TPM products. Ironically, such crypto chips are used to ensure additional security of users and organizations that are most vulnerable to hacking.
The researchers also checked 41 models of various laptops based on TPM chips and found that Infineon's library was used in 10. The vulnerability is the most pronounced in TPM Version 1.2 because those keys used to control operation of the Microsoft BitLocker encryptor are subject to factoring. This means that anyone to steal or obtain a vulnerable computer will manage to overcome hard drive and boot loader security.
Further, the researchers detected 237 factorized keys that were used to sign software published on GitHub. The software includes quite popular packages.
Among other findings, there were 2,892 PGP keys used to encrypt email correspondence where 956 keys were subject to factoring. As experts say, most vulnerable PGP keys were generated on the basis of the USB product Yubikey 4. Meanwhile, other USB key functions, including U2F authentication, contained no vulnerabilities.
Finally, the researchers managed to find 15 factorized keys used for TLS. Most of them contained the word SCADA in the description string.
How to protect yourself
The researchers will present a full report regarding their findings at the ACM Conference on Computer and Communications Security. To give users enough time to replace the keys, no detailed description of the factoring method will be provided before the conference.
Still, the researchers published a tool allowing detecting if a certain key had been generated on the basis of the vulnerable library. For more details, please see their blog post. Besides, Infineon has released a firmware update covering this vulnerability while TPM producers are now working on their own patches.
The researchers have also contacted GitHub's administration, and now the service is informing its users that they need to replace keys used for software signature. In their turn, Estonian authorities have closed their public key data base, but we have seen no announcements regarding replacement of the vulnerable ID cards.