Oct 16 2017

Digital Security Is Not Working Very Well

We live in a digital world with a false sense of security. While watching Blade Runner 2049 I smiled during a scene near the end where Deckard says to K, “What Have You Done?!?!?” I expect that this false sense of security will still exist in 2049 if humans manage to still be around.

The first big piece of security news this weekend was ‘All wifi networks’ are vulnerable to hacking, security expert discovers. It only a Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping, but, well, that’s most Wi-Fi networks. If you want the real details, the website Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse goes into depth about KRACK Attacks. And yes, KRACK is already up on Wikipedia.

Here’s the summary, which is mildly disconcerting (that’s sarcasm if you missed it …):

The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.

I was cruising along in my naive security bliss this morning when I saw the article Millions of high-security crypto keys crippled by newly discovered flaw. It turns out that a key RSA library that is widely used has a deep flaw in it and has been being used to generate weak keys since 2012.

A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers.

The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it’s located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest.

I’m sure there will be a lot more written about each of these flaws in the next few days. I expect every security vendor is hard at work this morning figuring out what to patch, how to do it, what to tell their customers, and how to get all the patches out in the world as fast as possible.

The constraint, of course, will be on the user side. A large number of customers of the flawed products won’t update their side of things very quickly. And many more bad guys now have a very clear roadmap for another attack vector with high vulnerability.

Be safe out there. Well, at least realize that whatever you generate digitally isn’t as safe and secure as you might think it is.


Also published on Medium.