While device-makers and software companies scramble to patch a vulnerability that potentially exposes every Wi-Fi session to hacking, another cryptographic flaw threatens the security of critical systems that use smartcards or hardware containing chips made by Germany’s Infineon Technologies.
The Wi-Fi threat, named KRACK (for “Key Reinstallation AttaCK”) was described yesterday in a paper released by Belgian researchers Mathy Vanhoef and Frank Piessens. The Infineon vulnerability, which could allow hackers to determine a private RSA key based on the public key, was dubbed “ROCA” by Czech and Slovak researchers who will present their findings at a security conference in two weeks.
In both cases, security experts are advising users of either Wi-Fi or RSA encryption technologies to update their devices as soon as possible as patches become available.
‘Blindingly Obvious’… in Hindsight
According to Vanhoef and Piessens, pretty much any device with Wi-Fi capabilities could be vulnerable to a KRACK attack, which can be launched by tricking a targeted wireless device into reinstalling a cryptographic key that’s already in use. Although the attack hasn’t been observed in the wild, the researchers said the flaw exposed serious weaknesses in the WPA2 wireless security protocol that could allow an attacker to replay, decrypt and forge data sent to and from a victim’s device via Wi-Fi.
“This meets my definition of brilliant,” cybersecurity expert Bruce Schneier wrote on his blog. “The attack is blindingly obvious once it’s pointed out, but for over a decade no one noticed it.”
In a separate blog post yesterday, Matthew Green, a cryptography expert at Johns Hopkins University, pointed a finger at the institutional processes used to develop and approve IT security standards.
“If you’re looking for someone to blame, a good place to start is the IEEE,” Green wrote. “One of the problems with IEEE is that the…