Millions of smartcards in use by banks and large corporations for more than a decade have been found to be vulnerable to a crippling cryptographic attack. That vulnerability allows hackers to bypass a wide range of protections, including data encryption and two-factor authentication.
The critical vulnerability, which researchers disclosed last week, allows attackers to derive the private portion of any vulnerable key using nothing more than the corresponding public portion. The so-called factorization attack can be completed in minutes or days, and the price can range from nothing, depending on the key size and type of computer an attacker uses, to $20,000. The vulnerability stems from a widely deployed library developed by German chipmaker Infineon, which in turn sells its hardware and software to third-party smartcard and device manufacturers.
The defect has now been confirmed to affect the first line of Gemalto IDPrime.NET smartcards. The cards have been on the market since 2004 at the latest, when Gemalto predecessor Axalto announced Microsoft employees were using the card to secure access to the software maker’s network, by, among other things, providing two-factor authentication to company employees worldwide. During the 12 years the cards are known to have been in use, Netherlands-based Gemalto has shipped cards numbering in the millions or even the tens or hundreds of millions.