[TriLUG] Got a Yubikey or a Chromebook? Heads up about ROCA...

Scott Chilcote via TriLUG trilug at trilug.org
Tue Oct 17 09:56:56 EDT 2017


Thanks Aaron,

This article has a list of the Chromebooks that have the vulnerability:

https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

I was glad to see that I missed out on this one.

   Scott C.


On 10/17/2017 08:50 AM, Aaron Joyner via TriLUG wrote:
> TL;DR: If you have a Chromebook, a Yubikey 4, or other device which uses an
> Infineon TPM for hardware encryption, the RSA private keys generated by
> that device may be rather easily compromised.
>
> Fixes are rolling out where possible.  For some use cases you may have to
> regenerate keypairs and redistribute public keys.  Some devices like the
> Yubico 4 can't update this aspect of the software in the TPM by design, and
> will have to be replaced.
>
> Here are a few links, ranging from news-y to technical:
> https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#501ffe9747c3
>
> https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecure-rsa-keys-multiple-vendors-affected/
>
> https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background
>
> https://www.yubico.com/support/security-advisories/ysa-2017-01/
>
> October is an "uncomfortably exciting" month, security-wise...
> Aaron S. Joyner


-- 
Scott Chilcote
scottchilcote at ncrrbiz.com
Cary, NC USA



More information about the TriLUG mailing list