Security researchers have discovered a new DUHK cryptography attack which can be exploited to recover encryption keys that could expose VPN connections, payment data and other sensitive business information. Cesare Garlati, Chief Security Strategist at the prpl Foundation commented below.
Cesare Garlati, Chief Security Strategist at the prpl Foundation:
“This is yet another lesson to manufacturers and developers of devices to avoid using hard-coded passwords, or secrets, embedded in the device itself. This proprietary method is flawed and exploited on an almost daily basis. These secrets get reused time and again, making the hacker’s job way too easy.
Furthermore, randomness in devices has always been the basis for security, but as we have seen in the past – there have been instances where the randomness turned out to be not that random or sponsored by nation states. If the devices are built using open source principles, flaws could be spotted, fixed and we could move on.
With the trillions of connected devices in use today and into the future, there is no way to build a safer society if we keep using these outdated security models. One exciting and promising security method that does use secrets – with a key difference that it is a secret that cannot be replicated – is Physical Unclonable Function (PUF) technology. PUF utilises inherent features in the chip itself, much like a fingerprint, where no two are the same, to create a secure root of trust in a device.”
