A flaw in a widely used code library has undermined the security of millions of encryption keys used in national identity cards, code-signing, and other platforms protecting. The weakness lets bad actors calculate the private portion of a vulnerable key so they can impersonate key owners, decrypt data and sneak malicious code into signed software.
The vulnerability stems from a code library developed by German chipmaker Infineon. Affected cards include the Gemalto IDPrime.NET which was available from 2004 until recently. They were issued to a number of high-profile clients including Microsoft but millions of the cards were made and sold across the world.
ArsTechnica has a detailed analysis of how the vulnerability works and how it’s exploited. Suffice it to say, this is a significant issue that can have major impact on affected parties.
If you have one of the affected cards, you should conduct a risk assessment so you understand the impact of the vulnerability on your business.