Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.
Each of Spain’s DNIe ID cards has a chip containing two certificates, one for identification and one for electronic signing.Image: Cuerpo Nacional de Polic a
When security researchers discovered last month that secure hardware made by Germany’s Infineon Technologies was not so secure after all1, it was clear that there would be major implications. There are a lot of smartcards and other devices out there with Infineon’s chips in them, and the ‘ROCA’ flaw2 in Infineon’s key pair-generation algorithm made it possible for someone to discover a target’s private key just by knowing what their public key was. Now, in an analogous situation to that recently experienced in Estonia3, Spain seems to be having a tough — and arguably more chaotic — time dealing with the implications for its national identity smartcards. Estonia’s big security flaw only affected around 760,000 cards, although Estonians genuinely use their cards for a great variety of public and private services. Against that figure, there are around 60 million identity smartcards in Spain . However, according to an El Pa s article4, Spaniards were only using theirs in 0.02 percent of public-service engagements when surveyed a few years back. Dan Cvrcek is the CEO at security firm Enigma Bridge, which was co-founded by researchers who identified the ROCA flaw.
He told ZDNet that exploitation of the flaw could allow attackers to revert or invalidate contracts that people have signed, in part because the Spanish don’t use timestamps for very important signatures. “I still don’t think you can do a large-scale attack that would target a lot of people,” Cvrcek said. However, he added, the cost of an individual attack has “rapidly decreased” . The assumption used to be that an attack cost between $20,000 and $40,000, but now it’s “realistically $2,000”. Each card, known as the DNIe, has a chip that contains two certificates, one for identification and one for electronically signing things. According to El Diario5, the authorities responded to Infineon’s October vulnerability disclosure by revoking, on November 6, all certificates issued since April 2015. What’s more, the authorities have stopped letting people sign things with the card at the self-service terminals found at many police stations.
That decision affects every card, not only those that have the flaw . However, people can still digitally sign documents online, using a small card reader that connects to their PCs. The readers are needed to update the affected cards . But there is as yet no indication of when the affected cards will be updated . Indeed, there doesn’t seem to be much official information out there at all, something which has not gone unnoticed in the Spanish tech press. “Neither the police nor other public bodies have given more information through their social media accounts about the impact of the vulnerability and how to act if affected,” said Xataka6. At least the Basque certificate authority Izenpe, which has revoked 30,000 certificates, has given information7 about how to replace them, the blog added. Amid all that chaos, it also seems that some people with recently issued DNIe cards are still able to use them, despite the supposed revocation of their certificates. “I would not mind if it continued like this until there are new certificates,” tweeted8 one user. Toomas Ilves, the former president of Estonia, said earlier this week that he believed millions of people in countries had been affected by the ROCA flaw, but their authorities were remaining “silent”.
Previous and related coverage
Estonia is built on secure state e-systems, so the world was watching when it hit a huge ID-card problem
A new security flaw has placed the security of RSA encryption in jeopardy.
- ^ not so secure after all (www.zdnet.com)
- ^ the ‘ROCA’ flaw (www.infineon.com)
- ^ experienced in Estonia (www.zdnet.com)
- ^ El Pa s article (cincodias.elpais.com)
- ^ El Diario (www.eldiario.es)
- ^ Xataka (www.xataka.com)
- ^ given information (www.izenpe.eus)
- ^ tweeted (twitter.com)
- ^ Estonia’s ID card crisis: How e-state’s poster child got into and out of trouble (www.zdnet.com)
- ^ As devastating as KRACK: New vulnerability undermines RSA encryption keys (www.zdnet.com)
Heathrow officials are investigating after a USB stick containing confidential data including the exact route the Queen takes to the airport was reportedly found in the street. A total of 76 folders were on the stick, including maps, videos and documents, the Sunday Mirror reported. None were encrypted or password protected. The newspaper said it contained details of the security measures in place to protect the Queen and the types of identification needed by those, including undercover police officers, wanting to access restricted areas. The files revealed routes and other safety measures for cabinet ministers and foreign dignitaries, as well as timetables of patrols used to guard against suicide bombers and terror attacks. Maps of the exact locations of CCTV cameras, tunnels and escape shafts linked to the Heathrow Express are also said to be on the stick, as well as details of ultrasound radar systems used to scan the airport runways and the perimeter fence. The pocket-sized device was reportedly discovered in the street by an unemployed man who handed it to the Mirror, which then passed it to Heathrow intelligence chiefs.
Image: The airport says safety and security is its top priority
It is unclear if the security breach had been intentional or due to incompetence, the newspaper said. A Heathrow spokesperson told Sky News: “We have reviewed all of our security plans and are confident that Heathrow remains secure. “We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future.” The spokesperson added: “Heathrow’s top priority is the safety and security of our passengers and colleagues.
“The UK and Heathrow have some of the most robust aviation security measures in the world and we remain vigilant to evolving threats by updating our procedures on a daily basis.”
There has so far been no comment from authorities on the possibility the data may have been downloaded or shared elsewhere. The UK terror threat was raised to critical1 after the Parsons Green Tube bomb in September, and currently stands at severe.
New security measures including stricter passenger screening take effect on Thursday on all U.S.-bound flights to comply with government requirements designed to avoid an in-cabin ban on laptops, airlines said. Airlines contacted by Reuters said the new measures could include short security interviews with passengers at check-in or the boarding gate, sparking concerns over flight delays and extended processing time. They will affect 325,000 airline passengers on about 2,000 commercial flights arriving daily in the United States, on 180 airlines from 280 airports in 105 countries.
The United States announced the new rules in June to end its restrictions on carry-on electronic devices on planes coming from 10 airports in eight countries in the Middle East and North Africa in response to unspecified security threats. Those restrictions were lifted in July, but the Trump administration said it could reimpose measures on a case by case basis if airlines and airports did not boost security. European and U.S . officials said at the time that airlines had 120 days to comply with the measures, including increased passenger screening . The 120-day deadline is Thursday .
Airlines had until late July to expand explosive trace detection testing.
“We see this as a big issue for China Airlines,” Steve Chang, senior vice president of the Taiwanese firm told reporters on Wednesday, adding the airline was trying to consult with the American Institute in the country over the issue. Korean Airlines, South Korea’s flagship carrier, also said it had a lot of concerns with the new measures.
“We are asking customers to show up at the airport early .. . It’s just inconvenient for the passengers,” President and Chief Operating Officer Walter Cho told Reuters in Taipei. Lufthansa said on Tuesday the measures would be in place by Thursday and travelers could face short interviews at check-in or at the gate.
Economy passengers on Lufthansa’s Swiss airline have been asked to check in at least 90 minutes before departure. Cathay Pacific Airways said it would suspend in-town check-in and self bag-drop services for passengers booked on direct flights to the United States . The airline said passengers would also have short security interviews and it has advised travelers to arrive three hours before departure. Singapore Airlines said the security checks could include inspections of personal electronic devices as well as security questioning during check-in and boarding.
Airlines for America, a U.S . trade group, said the changes “are complex security measures” but praised U.S . officials for giving airlines flexibility in meeting the new rules. Alexandre de Juniac, CEO of the International Air Transport Association, said the industry understood security threats to aviation were made regularly but in this case, the U.S . government had not shared any specific dangers before changing the rules.
“What we have seen is very strange,” he told reporters in Taipei. “Unilateral measures announced without any prior consultation.. .
That is something that is very concerning and disturbing.”
At their annual meeting in Taipei, Association of Asia Pacific Airlines (AAPA) members passed a resolution calling for security measures to be risk-based, outcome-focused and proportionate to the probable threat.
“Unilateral actions taken by individual governments reacting to emerging threats may result in unnecessary disruption or lead to unintended safety consequences,” said the members. AAPA includes most large Asian airlines but not mainland Chinese carriers.
“The risk is other countries make similar demands,” AAPA Director General Andrew Herdman said. U.S . authorities in June also increased security around aircraft and in passenger areas, and other places where travelers can be cleared by U.S . officials before they depart.
A Transportation Security Administration (TSA) spokeswoman declined to discuss the specific changes but said, “the United States continues to work with our partners to raise the baseline of global aviation security and keep the entire traveling public safe.”
The TSA said in July it was imposing new security rules requiring U.S .
domestic airline travelers to remove all electronic items larger than mobile phones such as tablets, e-readers and video game consoles from carry-on baggage for screening.