Government security tokens hackable-Politico Morning Cybersecurity

From Politico Morning Cybersecurity

The physical security tokens carried by senior government officials and industry executives can be hacked, according to blockbuster research revealed Monday. The software used to generate private cryptographic keys for the tokens’ chips, which are manufactured by a company called Infineon, can be reverse-engineered, letting hackers “factor” – or identify – the keys and intercept or spoof any data they are supposed to protect. The attack threatens to shatter the expectation of public key cryptography – that documents and messages signed by someone’s private key genuinely originated with that person. Beyond personal conversations and file exchanges, the vulnerability also affects cryptographically signed software updates, raising the possibility that hackers could spoof a verified update to install malware on someone’s computer. Such tactics have been used before.

Source: ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]

By | 2017-10-17T10:12:34+00:00 October 17th, 2017|0 Comments

About the Author:

Brian Ray
Professor Brian Ray has extensive experience in eDiscovery, information governance and data privacy. He and Candice Hoke created and serve as Co-Directors of the Center for Cybersecurity and Data Privacy at Cleveland-Marshall College of Law, where they are Professors of Law. Brian co-founded, with Tim Opsitnick of Jurinnov, the Cleveland eDiscovery Roundtable, an informal group of lawyers, judges and academics that meets monthly to discuss issues surrounding electronic discovery, cybersecurity and data privacy issues. Professor Ray is a member of the Sedona Conference's International Electronic Information Management, Discovery and Disclosure and Data Security and Privacy Liability Working Groups. Professor Ray also is an expert in international and comparative law. His book, Engaging with Social Rights: Participation, Procedure and Democracy in South Africa's Second-Wave (forthcoming Cambridge 2016) provides a comprehensive analysis of the South African Constitutional Court's social rights decisions. He has served as a Fulbright Scholar in South Africa and has published extensively on the law of human rights.

Leave A Comment