When it comes to protecting your data and securing communications across the internet, one word probably springs to mind and that’s encryption. Anything that weakens the ability of encryption to work as expected is understandably concerning. From Windows BitLocker security vulnerabilities and crypto wallet encryption key attacks, to the bypassing of Google Chrome’s application bound encryption. A new demonstration at a technical conference has now suggested that the RSA keys behind digital certificates securing millions of internet-connected devices are fundamentally flawed. What’s more, the researchers first warned of this danger in 2019. Here’s what you need to know.
Serious Flaws In Encryption Keys Could Open The Door To Attack, Researchers Say
What if the cryptographic certificates used to secure everything from your internet communications to the software updates that are critical to maintaining security in an ever-changing threat landscape were not, well, entirely as secure as you thought?
Some cryptographic certificates use encryption factors that were “poorly created, making it possible for attackers to crack the encryption and reveal private information,” Paul Wagenseil, writing at SC Media, said. This was the basis for a presentation at the Keyfactor Tech Days conference in Miami, where research first published in 2019 was used to demonstrate just how serious these factorization flaws remain. I would heartily recommend reading the article by Wagenseil for the technical detail behind the security flaws and the research paper if you are a budding math genius.
I have reached out to RSA for a statement.
I’ll leave the simple explanation up to Jamie Akhtar, CEO at CyberSmart, who told me that RSA keys are critical for most commonly used forms of encryption to work correctly and, by implication, badly generated RSA keys leave that encryption open to criminal attention. “The security of RSA relies on the difficulty of factoring large numbers,” Akhtar said, “specifically the product of two large prime numbers.” It doesn’t take a genius, however, to appreciate that if two different RSA keys share a prime factor, both can be broken pretty quickly. That dear reader, is the crux of the problem here. “In other words,” Akhtar warned, “any system using these faulty RSA keys is open to a breach, and if early estimates are accurate, this could affect millions of devices and systems, with IoT devices particularly vulnerable.” Given that such devices can be found in hospitals, industrial control systems and even vehicles, it’s something you might have thought would have been addressed by now. “This discovery highlights the need for continuous evaluation and improvement of our security infrastructure,” Javvad Malik, lead security awareness advocate at KnowBe4, said, “particularly as IoT devices are increasingly ubiquitous.” Malik said that a multi-faceted approach is essential, with organizations needing to evaluate their exposure and prioritize mitigation efforts. “Fostering increased cooperation between manufacturers, developers, and security professionals is crucial to address systemic vulnerabilities effectively,” Malik concluded.