Oct 16, 2017

Millions of encryption keys vulnerable to new exploit

A customer tries out a new Apple iPhone 6S at an Apple store in Chicago. Photo: Kiichiro Sato / AP

Slovak and Czech researchers have found a vulnerability that leaves government and corporate encryption cards vulnerable to hackers to impersonate key owners, inject malicious code into digitally signed software, and decrypt sensitive data, Dan Goodin reports for ArsTechnica. The researchers exposed that some of these keys can be easily hacked, which is notable since it was previously thought that these kinds of keys were virtually impervious to hackers.

Why it matters, from Axios' Senior Developer Chris Barna: Although breaking these keys could take a lot of time and money, "when you have the resources of a malicious government, 17 days and hundreds of thousands of dollars can be worth it if the perceived payoff is big enough."

What to watch for, as Graham Steel, CEO of encryption consultancy Cryptosense, told ArsTechnica: "If you have a document digitally signed with someone's private key, you can't prove it was really them who signed it. Or if you sent sensitive data encrypted under someone's public key, you can't be sure that only they can read it."

Go deeper