Cracking RSA Keys at a Factor of the Price
A few weeks ago, we wrote about a fundamental weakness in the generation of RSA keys produced by Infineon Technologies AG. The weakness would allow an attacker to successfully crack a single 2,048 bit RSA key with 51,400 vCPU days; roughly $35,000 on Amazon EC2. In the time since then, researchers Daniel J. Bernstein and Tanja Lange developed a more efficient attack that is up to 25% faster than the original ROCA attack.
The bad news doesn’t stop there as the price could further be driven down through the use of specialized hardware such as GPU, FPGA, or ASIC, leaving the attackers with just an energy bill of $2,000 to crack a single key.
Estonia moved to suspend the digital ID cards affected by the vulnerability and citizens must update digital certificates. These digital ID cards are used to identify the user for voting and filing taxes.
If you use a hardware token for RSA key generation, double check with the manufacturer to make sure your device is not affected.
IoT Keyboard Cloud Driver
From the department of “why is that a thing,” users discovered that the driver shipped with their MantisTek GK2 mechanical keyboard is collecting keystroke metrics and sending them to the cloud.
The initial assumption was that the driver was delivering malware and collecting keystrokes to spy on users; however, upon further inspection, it appears that only the keystroke metrics were sent to the cloud, presumably to determine the lifetime of individual keyboard keys.
However, the invasion of privacy still remains and serves as a good warning that every piece of software you install expands your attack surface.
Money Disappearing into the Ether(eum)
“What if money was represented by JavaScript?”
The answer to that silly question is that approximately $300,000,000 USD vanishes into the ether. A user identified as “devops199” discovered a vulnerability in an Ethereum “smart contract” that allowed him to take over control of the library through an unprotected initWallet() method, turning it into a wallet calling suicide() on the new wallet/library.
The end result is that the Parity multi-signature library code that was hosted on the Ethereum blockchain is now deleted and the funds in any wallet depending on that library code is frozen, including a number of Initial Coin Offerings (ICOs).
At this point it’s not clear if there’s anything that could be done to recover the frozen funds without another hardfork (as previously done due to the DAO hack).
Moral of the story? Writing code is hard and entrusting your money to it is still a risky bet.