A newly discovered vulnerability in the code used by chips made by Infineon Technologies AG, used by a wide range of devices, opens the door to hackers, according to newly published research.

Discovered by researchers at Masaryk University in the Czech Republic last week, the vulnerability, dubbed “ROCA,” involves the chips’ use of trusted platform modules, or TMPs, that generate RSA key pairs for securing various activities such as secure connections, disk encryption and access privileges. The problem lies in a flaw in the way the keys are generated that allows an attacker to take a public key and use it to calculate a private key via a method called “Fast Prime,” a mathematical crack that can be powered by online cloud services.

Infineon Technologies and their cryptography chips may not be a household name, but chances are that billions of people could be using the chips without even realizing it. The chips can be found in a huge range of products, including smartcards, security tokens, laptops and others from devices made by Fujitsu Ltd., Google LLC, HP Inc., Lenovo Group Ltd. and Microsoft Corp. to name but a few.

The good news is that the vulnerability can be fixed by software. Many companies already have issued patches for the problem, but given its use on smart cards as well, a 100 percent fix for every vulnerable use of Infineon’s chips may be a long time in coming.

Explaining the problem of patching all affected devices, Deral Heiland from Rapid7 Inc. told SiliconANGLE that the vulnerability within the RSA key generation process used within embedded technology is a critical issue that he fears will be haunting the tech sector for a number of years to come.

“With a vulnerability code library embedded within a number of products, how do we identify and how do we fix them all?” he said. “We currently do not have methods to effectively track such chip usage within the supply chain. Builders of embedded products often use a number of sub-components manufactured by other companies, which may use any number of various chips sets, including chip sets which may contain this vulnerable code library.”

Heiland added that even in cases where usage can be tracked, “how do we patch them, with patchability being one of the most critical issues facing us now within the IoT world? Also, whether hardware manufactures want to believe it or not, they are now also software companies and are responsible for all their firmware installed on their products. The software industry has done a good job at building patching solution around their products, but the embedded-product industry has not yet matured to that level.”

Anurag Kahol, chief technology officer at Bitglass Inc., said that organizations need to be aware of the risk encryption can present and to make sure they get their internal security procedures right. “Encryption, while a powerful tool for data protection, is only effective if implemented properly,” he said “In this case, where private keys can be derived from public keys, the implementation was flawed. For organizations and governments that choose to encrypt data, key management – storing keys securely, rotating master keys and aliases to that master key – can be invaluable in protecting data.”

Photo: Raimond Spekking/Wikimedia Commons