Following the revelation of the KRACK WPA2 vulnerability, another widespread vulnerability, dubbed ROCA, appeared affecting millions of devices running Infineon Technology’s Trusted Platform Module chips.
This 5-year-old vulnerability was found by security researchers at Masaryk University in the Czech Republic, who have released a blog post with more details about the weakness as well as an online tool to test if RSA keys are vulnerable.
Cryptographic RSA pairs generated on Infineon’s TPM are vulnerable to a factorization attack. It allows attackers to reverse-calculate someone’s private key based solely off of their public key. The risks of this vulnerability are that the attacker can impersonate the key owner, decrypt the user’s data protected by this key, injecting malware into signed software, etc.
The flaw also poses a security risk for government and corporate computers running Infineon’s cryptographic library and chips.To give companies and organisations time to update affected encryption keys before the details of how this vulnerability works and could be exploited are released, the researchers will be realeasing their research paper after giving a presentation of the vulnerability on November 2nd at the ACM Conference on Computer and Communications Security.
Major vendors including Infineon, Google, and Microsoft have already released the software updates for affected hardware and software as well as guidelines for mitigation of the vulnerability.
End users are encouraged to patch their affected devices as soon as possible.
– Matthew Turi