[TriLUG] Got a Yubikey or a Chromebook? Heads up about ROCA...
Roger W. Broseus via TriLUG
trilug at trilug.org
Tue Oct 17 12:15:00 EDT 2017
See,
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
and
https://www.windowscentral.com/vendors-who-have-patched-krack-wpa2-wi-fi-vulnerability
Might have duplicity.
--
Roger W. Broseus - Linux User
Email: RogerB at bronord.com
Web Site: www.bronord.com
On 10/17/2017 09:56 AM, Scott Chilcote via TriLUG wrote:
> Thanks Aaron,
>
> This article has a list of the Chromebooks that have the vulnerability:
>
> https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update
>
> I was glad to see that I missed out on this one.
>
> Scott C.
>
>
> On 10/17/2017 08:50 AM, Aaron Joyner via TriLUG wrote:
>> TL;DR: If you have a Chromebook, a Yubikey 4, or other device which uses an
>> Infineon TPM for hardware encryption, the RSA private keys generated by
>> that device may be rather easily compromised.
>>
>> Fixes are rolling out where possible. For some use cases you may have to
>> regenerate keypairs and redistribute public keys. Some devices like the
>> Yubico 4 can't update this aspect of the software in the TPM by design, and
>> will have to be replaced.
>>
>> Here are a few links, ranging from news-y to technical:
>> https://www.forbes.com/sites/thomasbrewster/2017/10/16/worse-than-krack-google-and-microsoft-patch-massive-5-year-old-encryption-hole/#501ffe9747c3
>>
>> https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecure-rsa-keys-multiple-vendors-affected/
>>
>> https://www.infineon.com/cms/en/product/promopages/rsa-update/rsa-background
>>
>> https://www.yubico.com/support/security-advisories/ysa-2017-01/
>>
>> October is an "uncomfortably exciting" month, security-wise...
>> Aaron S. Joyner
>
More information about the TriLUG
mailing list