Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.
Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.Image: Cuerpo Nacional de Polic a
When security researchers discovered last month that secure hardware made by Germany’s Infineon Technologies was not so secure after all1, it was clear that there would be major implications. There are a lot of smartcards and other devices out there with Infineon’s chips in them, and the ‘ROCA’ flaw2 in Infineon’s key pair-generation algorithm made it possible for someone to discover a target’s private key just by knowing what their public key was. Now, in an analogous situation to that recently experienced in Estonia3, Spain seems to be having a tough — and arguably more chaotic — time dealing with the implications for its national identity smartcards. Estonia’s big security flaw only affected around 760,000 cards, although Estonians genuinely use their cards for a great variety of public and private services. Against that figure, there are around 60 million identity smartcards in Spain . However, according to an El Pa s article4, Spaniards were only using theirs in 0.02 percent of public-service engagements when surveyed a few years back. Dan Cvrcek is the CEO at security firm Enigma Bridge, which was co-founded by researchers who identified the ROCA flaw.
He told ZDNet that exploitation of the flaw could allow attackers to revert or invalidate contracts that people have signed, in part because the Spanish don’t use timestamps for very important signatures. “I still don’t think you can do a large-scale attack that would target a lot of people,” Cvrcek said. However, he added, the cost of an individual attack has “rapidly decreased” . The assumption used to be that an attack cost between $20,000 and $40,000, but now it’s “realistically $2,000”. Each card, known as the DNIe, has a chip that contains two certificates, one for identification and one for electronically signing things. According to El Diario5, the authorities responded to Infineon’s October vulnerability disclosure by revoking, on November 6, all certificates issued since April 2015. What’s more, the authorities have stopped letting people sign things with the card at the self-service terminals found at many police stations.
That decision affects every card, not only those that have the flaw . However, people can still digitally sign documents online, using a small card reader that connects to their PCs. The readers are needed to update the affected cards . But there is as yet no indication of when the affected cards will be updated . Indeed, there doesn’t seem to be much official information out there at all, something which has not gone unnoticed in the Spanish tech press. “Neither the police nor other public bodies have given more information through their social media accounts about the impact of the vulnerability and how to act if affected,” said Xataka6. At least the Basque certificate authority Izenpe, which has revoked 30,000 certificates, has given information7 about how to replace them, the blog added. Amid all that chaos, it also seems that some people with recently issued DNIe cards are still able to use them, despite the supposed revocation of their certificates. “I would not mind if it continued like this until there are new certificates,” tweeted8 one user. Toomas Ilves, the former president of Estonia, said earlier this week that he believed millions of people in countries had been affected by the ROCA flaw, but their authorities were remaining “silent”.
Previous and related coverage
Estonia is built on secure state e-systems, so the world was watching when it hit a huge ID-card problem
A new security flaw has placed the security of RSA encryption in jeopardy.
- ^ not so secure after all (www.zdnet.com)
- ^ the ‘ROCA’ flaw (www.infineon.com)
- ^ experienced in Estonia (www.zdnet.com)
- ^ El Pa s article (cincodias.elpais.com)
- ^ El Diario (www.eldiario.es)
- ^ Xataka (www.xataka.com)
- ^ given information (www.izenpe.eus)
- ^ tweeted (twitter.com)
- ^ Estonia’s ID card crisis: How e-state’s poster child got into and out of trouble (www.zdnet.com)
- ^ As devastating as KRACK: New vulnerability undermines RSA encryption keys (www.zdnet.com)
Detailed security arrangements for London Heathrow airport, including the Queen s precise route every time she passes through, were found on a USB stick left in a West London street, according to reports. The unencrypted USB stick was found lying under leaves on Ilbert Street, a leafy terrace near the famous Kensal Green cemetery reportedly by an unemployed jobseeker on his way to a library. Having plugged the stick into a computer, the man found a treasure trove of what appeared to be security-related documents, including routes and timings of security patrols, types of ID needed to access restricted areas, maps of CCTV cameras and otherwise hidden access shafts onto the Heathrow Express railway line that runs under the airport.
No passwords had been applied to the stick or any of its contents. Curiously, the Sunday Mirror reported1 that some of the 2.5GB of documents on the stick were marked confidential or restrictive security classification markings that were officially superseded in central government use four years ago . Most police forces have followed suit. A reporter from the paper wrote: Why was this sensitive material held on an unencrypted memory stick and taken off site ? It s a huge security breach and massively embarrassing for those in charge of security .
The cumulative impact of having so many documents, videos, maps and images all in one place represents a security risk. The offending files were passed on to Heathrow security. An airport spokeswoman told the Guardian that an internal investigation had been launched, adding: We have reviewed all of our security plans and are confident that Heathrow remains secure .
We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future.
Wow . It s like the 2000s all over again
This idiotic blunder by whoever took the USB stick out of Heathrow sounds like something from the bad old days of the previous decade, when confidential data was blithely left lying around on abandoned laptops, folders on trains, and all the rest of it. One presumes that whoever did this will shortly be joining the person who found the USB stick on a job hunt.
As for the wider implications, they barely need spelling out: had the chance passerby been someone less kindly disposed towards the UK than the finder of the stick, the consequences could have been seriously bad.
The Sri Lanka T20 squad were surrounded by ‘extraordinary’ security arrangements upon their arrival in Lahore on Sunday morning, for the third T20I at the Gaddafi Stadium . This is the first Sri Lanka team to visit Pakistan since the terror attack targeting Sri Lanka’s team bus in Lahore in 2009. The side, which flew in from Abu Dhabi, was escorted to the team hotel in a bomb-proof bus . The routes from the Allama Iqbal Airport in Lahore were virtually sealed off with thousands of armed police deployed along the 14 km route . The streets leading to Mall Road were also deserted as the team was flanked by a large convoy of police commandos . The arrangements were similar to the security protocol followed for a presidential visit. A Sri Lankan security delegation had visited Lahore over the last two days to oversee the arrangements . A full dress rehearsal of the security arrangements from the airport to the hotel to the stadium – involving the Pakistan army, Pakistan’s paramilitary force, the Rangers, and the Punjab police – was also held. “We are prepared to host Sri Lanka team,” Dr Haider Ashraf, Deputy Inspector General (operations) of Punjab Police, told reporters at Gaddafi Stadium. “Under the umbrella of the Punjab government, and with the help of Pakistan army, rangers and intelligence agencies, we are geared up to make this event successful.
“I can assure that the entire administration from Punjab government and police is very much professional and competent to handle such event . A Sri Lanka security delegation was here and nobody has so far objected or expressed any dissatisfaction about any of our arrangements . We have adopted all the best international practices and everyone on board is satisfied .
International security consultants are also on board . There are four layers of security check points to enter the stadium and Lahore administration has put a shuttle service in place to take fans from the parking area to the stadium gates . There are four parking points covering all direction of the city.”
The team that landed in Sunday does not include any player or coach who was present in 2009 . Sri Lanka Cricket had announced a new-look T20I squad after several senior players refused to travel to Lahore . Sri Lanka’s regular T20I captain, Upul Tharanga, had pulled out, along with Lasith Malinga, Niroshan Dickwella, Suranga Lakmal and Akila Dananjaya . The team is being captained by Thisara Perera . SLC president Thilanga Sumathipala and sports minister Dayasiri Jayasekara have accompanied the side to Lahore. Sunday’s match is yet another attempt by the Pakistan Cricket Board to show the country’s will and capacity to host international cricket, which had stopped for many years following the 2009 terror attack . In March 2009, the Sri Lanka team bus was attacked en route to the Gaddafi Stadium for the third day of the second Test, at the Liberty Roundabout situated 1.5 kilometres from the stadium . Eight people were killed in the attack and a few Sri Lanka players were injured . With teams refusing to tour Pakistan in the aftermath of the attack, the board had to adopt the UAE as its home venue for international cricket.
The landscape of the city, however, has changed drastically over the last eight years . The flow of traffic around the Liberty Roundabout has been altered, and the Nishtar Park complex, which houses the Gaddafi Stadium, is now well protected with huge metal gates. In 2015, Zimbabwe became the first Test-playing nation to tour Pakistan since the attack, with a limited-overs series held in Lahore . Despite extensive security measures, a bomb blast occurred 800m away from the Gaddafi Stadium during the second ODI, killing two people . Zimbabwe stayed on and finished the series two days later, but the tour did not lead to a change in the perceptions about security in Pakistan. The next high-profile match in Lahore was the Pakistan Super League final in March 2017 . This was followed by a successful tour of the World XI for three T20Is in September, which saw a number of high-profile cricketers turn out . The World XI side was coached by Andy Flower and included five players from South Africa – including Faf du Plessis and Hashim Amla – three from Australia, two from West Indies and one player each from England, Bangladesh, New Zealand and Sri Lanka . The series was officially backed by the ICC, who also hired independent experts to oversee security arrangements .
Players were offered US $100,000 to play the series, which spanned five days . It was a key step for the PCB in its efforts to convince teams that Pakistan is ready to host top-flight international cricket. The PCB is now in talks with Cricket West Indies for three T20I matches in November, but the West Indies board has not yet confirmed the series.