It has been announced that a potential security vulnerability affecting the Infineon software cryptographic library also known as ROCA (CVE-2017-15361) has been discovered.
The alleged issue is linked to the RSA on-board key generation function being part of a library optionally bundled with the chip by the silicon manufacturer. Infineon have stated that the chip hardware itself is not affected. The information related to this potential vulnerability has been shared with its customers.
As Gemalto sources certain products from Infineon, we have examined our entire product portfolio to identify those which use the affected software. Our thorough product analysis has concluded that:
- In the vast majority of cases, the crypto libraries developed by the chip manufacturer are not included in our products. It is standard practice that Gemalto products use our in-house cryptographic libraries, developed by our internal R&D teams and cryptography experts. We can confirm that products containing Gemalto’s crypto libraries are immune to the attack.
- We can confirm that none of our mobile, IoT or payment products and solutions are impacted in any way. For national eID cards, one customer only is using the Infineon crypto library. A solution to prevent any potential issues has been set up and implemented, this consists in a remote update of the eID cards. For ePassport programs, none. For our Enterprise portfolio,
IDPrime.NET products are impacted, depending on customer configuration.
We have already contacted the customers that use these products and are currently working with them on remedial solutions.
Gemalto takes this issue very seriously. We have set up a dedicated team of security experts to work on the situation and we will continue to monitor any developments.